Thunderstrike 2: World’s First Firmware Worm That Infects Mac Computers Without Detection

If you think Apple’s Mac computers are much more secure than Windows-powered systems, you need to think again. This isn’t true, and security researchers have finally proved it.
Two security researchers have developed a proof-of-concept computer worm for the first time that can spread automatically between MacBooks, without any need for them to be networked.
Dubbed Thunderstrike 2, the new proof-of-concept firmware attack is inspired by previously developed proof-of-concept firmware called Thunderstrike.
Thunderstrike Attack, developed by security engineer Trammell Hudson, actually took advantage of a vulnerability in Thunderbolt Option ROM that could be used to infect Apple Extensible Firmware Interface (EFI) by allocating a malicious code into the boot ROM of an Apple computer through infected Thunderbolt devices.
Thunderstrike 2 Spreads Remotely
Although the original Thunderstrike required an attacker to have physical access to your Mac computer to work, the new attack can be spread remotely.
Thunderstrike 2 can be delivered via phishing emails, malicious Web site, as well as through a peripheral connected to the Ethernet port or USB.
After downloaded on a computer, Thunderstrike 2 can infect Thunderbolt-connected accessories that use Option ROM. After that, the malware can automatically spread to any Mac that you plug the accessory into.
Thunderstrike 2 is developed by two security researcher Trammell Hudson and Xeno Kovah of firmware security consultancy Legbacore. The researchers also demonstrated their attack, which you can watch in the video given below.
Infects Mac Computers Without Detection
Given the vicious worm, Thunderstrike 2, targets and lives in the firmware and can even evade a whole system reboot, it’s a real pain for the Mac users.
“Thunderstrike 2 is really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” Kovah told Wired.
“For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”
Many of the firmware vulnerabilities discovered by the researchers to develop Thunderstrike 2 are common to most EFI firmware. A total of six vulnerabilities affected PCs from Dell, HP, Lenovo, Samsung, and others.
Five firmware vulnerabilities also affected the Mac’s firmware, and of those, Apple has fully patched one flaw, partially patched another, and failed to patch the rests.
The researchers plan to present their findings at the Black Hat and Def Con security conferences in Las Vegas this week.

The following two tabs change content below.

DeeDee Barker

Writer at The Pluto Daily
Writer/Design/Editor. Born in New Orleans but raised in Philly. DeeDee has been with the Pluto Daily since June 2014.