Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

First Firmware Worm Able to Infect Macs Created by Researchers

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,548
30,868



A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.


Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.
"People are unaware that these small cheap devices can actually infect their firmware," says Kovah. "You could get a worm started all around the world that's spreading very low and slow. If people don't have awareness that attacks can be happening at this level then they're going to have their guard down and an attack will be able to completely subvert their system."
Click to expand...
Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.
"Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware," Kovah notes. "Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security."
Click to expand...
Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

Article Link: First Firmware Worm Able to Infect Macs Created by Researchers
 
Article Link
https://www.macrumors.com/2015/08/03/thunderstrike-2-first-mac-firmware-worm/
  • Like
Reactions: V.K.
midwife99

midwife99

macrumors newbie
Aug 3, 2015
1
0
MacRumors said:



A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.


Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

Article Link: First Firmware Worm Able to Infect Macs Created by Researchers
Click to expand...
This is dated 2001, is it something new?
 
Paul Simon

Paul Simon

macrumors newbie
Jun 3, 2015
17
57
And only these guys can do it with nothing that I've seen so far to back up their claims that other companies are heeding their grave warnings. Self-aggrandizing people.
 
Last edited:
macduke

macduke

macrumors G5
Jun 27, 2007
13,142
19,682
Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
 
  • Like
Reactions: Flunkyturtle, Retrostarscream, mijail and 14 others
Dargoth

Dargoth

macrumors regular
Oct 27, 2014
242
372
midwife99 said:
This is dated 2001, is it something new?
Click to expand...
Couldn't be. There was no Thunderbolt back then.

Well, this seems to require a malicious website or email to get onto your computer in the first place, which almost certainly would require the download of a file or attachment for execution. I'm not worried by this.
 
mainstreetmark

mainstreetmark

macrumors 68020
May 7, 2003
2,228
293
Saint Augustine, FL
Well that wasn't very uplifting news. If you get infected, you have to replace your mac and all your cables?

Is it at least possible to make a TS2 killer that lives on some other TB cable, that uses the same exploits, but gets rid of the bad payload?
 
AngerDanger

AngerDanger

Graphics
Staff member
Dec 9, 2008
5,452
29,003
I wish there was a chart or enumeration of Macs that can be affected by this. This article and the one on WIRED only mention MacBooks for some reason, but this would presumably affect desktop Macs as well. Also, what about computers that don't have Thunderbolt ports? :confused:
 
Last edited:
brinary001

brinary001

Suspended
Sep 4, 2012
991
1,134
Midwest, USA
I was talking to a buddy of mine the other day about Macs and their vulnerabilities. There's more of them than people think. Nothing is safe anymore. And better than any security program, is your awareness and looking over your digital shoulder now and then.
 
  • Like
Reactions: Oblivious.Robot and QuarterSwede
marco114

marco114

macrumors 6502
Jul 17, 2001
426
402
USA
it's crazy that someone has this kind of time on their hands. I'd love to hire them to work on my latest App design but they are busy hacking away at the mac.
 
  • Like
Reactions: 5105973
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom