Security researchers have created a worm that could enable a firmware attack to spread undetected on MacBooks without them even being connected to a network. Called Thunderstrike 2, the new worm is extremely difficult to detect because it never touches system files or the OS-X operating system. This basically means that it can’t be detected by security software scanning for malicious code.
Thunderstrike 2 spreads itself by hitching a ride on Thunderbolt-connected accessories that uses Option ROMs and can infect any Mac it was connected to during the bootup process. The infected Mac could then pass the malware to other accessories, which could infect other computers. Xeno Kovah and Trammell Hudson, the worm’s developers and security analysts at Two Sigma Investments, state that firmware worms can survive on a system even after the computer has been fully erased and the operating system has been completely reinstalled.
“Let’s say you’re running a uranium refining centrifuge plant and you don’t have it connected to any networks, but people bring laptops into it and perhaps they share Ethernet adapters or external SSDs to bring data in and out,” Xeno Kovah, one of the firmware security consultants that developed the worm, told Wired. “Those SSDs have option ROMs that could potentially carry this sort of infection. Perhaps because it’s a secure environment they don’t use WiFi, so they have Ethernet adapters. Those adapters also have option ROMs that can carry this malicious firm.”
Thunderstrike 2 is named after the original Thunderstrike virus, which was shown off at the Chaos Computer Congress in Germany earlier this year. The original Thunderstrike also targeted Mac firmware and could not be detected, just like its successor. However, it required physical access to the machine via Thunderbolt peripherals, while Thunderstike 2 can also be delivered remotely.
In total, the researchers said they discovered five vulnerabilities in Apple’s firmware. These vulnerabilities enabled the researchers to design the dangerous worm. Apple acknowledged Thunderstrike over six months ago and addressed the vulnerabilities, so there’s much hope that it will patch the new vulnerabilities that Thunderstrike 2 targets, too.
The team plans to present its research at the Black Hat and Def Con security conferences in Las Vegas this week.
