Apple has touted the Mac’s resistance to viruses for decades as a selling point over Windows PCs, but a team of researchers have created a new firmware worm for Mac that might just make you want to go back to doing work on good old pencil and paper.
Two white-hat hackers discovered that several vulnerabilities affecting PC makers can also bypass Apple’s renowned security to wreak havoc on Mac firmware. The two created a proof-of-concept of the worm called Thunderstrike 2 that allows firmware attacks to be spread automatically from Mac to Mac. Devices don’t even need to be networked for the worm to spread, and once it’s infected your machine the only way to remove it is to open up your Mac and manually reflash the chip.
Here’s a preview of Thunderstrike 2 in action:
Thunderstrike 2 can remain hidden because it doesn’t even touch your Mac’s operating system or file system. By only living in the firmware, scanners can’t detect it, so you’ll never know your Mac’s infected (until something goes terribly wrong).
To deliver the Thunderstrike 2 worm, an attacker could send it through a phishing email or plug an infected peripheral into your USB port or ethernet adapter. Once a machine is booted with a worm-infected device inserted, the machine loads the option ROM from the device, which triggers the process for the worm to write its malicious code to the boot flash firmware.
Xeno Kovah and Trammell Hudson, the two researchers who discovered the flaw and created the Thunderstrike 2 worm, plan to discuss their findings August 6 at the Black Hat security conference in Las Vegas.
Apple hasn’t released a statement on the worm yet, but the company acknowledged Thunderstrike six months ago and released a fix to the vulnerabilities. Hopefully there’s a new patch on the way for Thunderstrike 2 before some not-so-nice hackers start using it.
Source: Wired
Buster Hein is a freelance writer who lives in Phoenix, Arizona. Twitter: @bst3r.
13 responses to “Thunderstrike 2 worm can infect your Mac without detection”
What if I am on Hackintosh ?
So one has to be dumb enough to fall for a phishing email OR the attacker must have physical access to your Mac.
This is hardly a big threat except for morons.
Well an infected device could also do it so it’s hardly just the usual gang of idiots.
I disagree. Insider threat is the biggest problem for computer networks today.
75% mor…err old folks actually fall for this prey. “Free trip for two to Paris by opening this email right now.”
“Thunderstrike 2 worm can infect your Mac without detection”
Slow news Monday means trot out another highly unlikely scenario to make people worried. Your key sentence in the whole piece is this: “Apple … acknowledged Thunderstrike six months ago and released a fix to the vulnerabilities.” Quite sure they will do exactly the same for this. Until then, unplug all devices, stand under the cone of silence, and do •not• go out of the house!
“Devices don’t even need to be networked for the worm to spread”
That is an irrational thing to say!?!
If a computer isn’t networked (either locally or to the Internet) it is impossible to receive any malware, unless you purposely install it on your computer by connecting a disk or drive, and running the hack off that.
Also, for anyone to install a firmware hack, you must have physical access to the computer, or trick the admin into installing the new firmware onto their own computer themselves.
Incorrect. Connecting a thunderbolt adapter is all that is required for this infection, a thunderbolt adapter is not even remotely considered a disk or a drive in the traditional sense.
If you were actually trying to describe connecting any sort of peripheral device then theres more bad news, similar attacks (less contagious and much less threatening) have been developed for Near field communication (NFC) devices.
another article on this I have read stated that the proof of concept they developed required root access. So not only would someone have to be dumb enough to fall for a phishing attack or an infected device, they’d have to also be dumb enough to give away their password thereafter.
The only way to “get infected” is to boot your machine from malicious external storage. How could it be called as a “worm” since you’ve to infect devices one by one manually ?
It’s considered a worm as it can be spread autonomously.. But is a thunderbolt adapter which has not been physically modified in any way and is sold by the same company as the computer really considered malicious external storage?
Whoa
Good