“A security researcher has discovered a way to infect Macs with malware virtually undetectable and that ‘can’t be removed,'” Adrian Kingsley-Hughes reports for ZDNet. “The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.”
“Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks,” Kingsley-Hughes reports. “After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system’s Thunderbolt port. ‘It turns out that the Thunderbolt port gives us a way to get code running when the system boots,’ Wrote Hudson. ‘Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run.'”
“And once it is on your system, it is incredibly hard to remove,” Kingsley-Hughes reports. “Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.”
Read more in the full article here.
MacDailyNews Take: Much ado about pretty much nothing, unless you’re 007 or something, in which case you shouldn’t be leaving your MacBook unguarded with the maid or anybody else. This is a good thing because it leads directly to Apple hardening the Thunderbolt port.
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015