Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required

“A security researcher has discovered a way to infect Macs with malware virtually undetectable and that ‘can’t be removed,'” Adrian Kingsley-Hughes reports for ZDNet. “The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.”

“Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks,” Kingsley-Hughes reports. “After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system’s Thunderbolt port. ‘It turns out that the Thunderbolt port gives us a way to get code running when the system boots,’ Wrote Hudson. ‘Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run.'”

“And once it is on your system, it is incredibly hard to remove,” Kingsley-Hughes reports. “Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.”

Read more in the full article here.

MacDailyNews Take: Much ado about pretty much nothing, unless you’re 007 or something, in which case you shouldn’t be leaving your MacBook unguarded with the maid or anybody else. This is a good thing because it leads directly to Apple hardening the Thunderbolt port.

Related article:
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015

25 Comments

  1. News Flash: According to Braindead Analysts, unauthorized dismantling of your Mac can lead to the installation of explosives capable of blowing up your house. A spokesman for the company recommends that all Mac users get rid of their computers immediately.

  2. Windows’ latest security hole
    Google is putting pressure on Microsoft to fix a security flaw in Windows, said Chris Welch in TheVerge.com. Google’s security research team revealed last week that a flaw in Microsoft’s Windows 8.1 software “allows low-level users to gain administrator privileges” on Windows machines. But Google’s decision to go public came with “one big problem: There was no fix from Microsoft.” That means some Windows customers—especially business users—face “a legitimate threat” from users who wish to exploit the vulnerability. Microsoft, which has known about the flaw since September, says a software update is now on the way.

    Guess I must have missed all the “Microsoft is Doomed” press releases about this? Oh, it isn’t Apple! /s

  3. I don’t get this. The claim: you can plug in an infected device into your Mac, the Mac’s firmware will be rewritten with a new “key” which can’t be removed. However the makers of the malformed firmware could update it because they have the key.

    How is it, these hackers, with their ill spying firmware, is supposed to be much better than Apple, where they can bypass Apple’s own security, wiping and overwriting their key, firmware signatures, but Apple could not come back and do the same?

    Why couldn’t Apple just change their firmware to prevent this type of attack?

    To me it seems there’s a logical problem with the researcher’s announcement. It smacks of F.U.D. + government & corporate espionage. Anyway, I can’t see this as being particularly critical, but it’a all beyond me, from an engineer’s point of view.

    1. Apple can/will. The mostly likely solution will be that all TB hardware will have to be certified / keyed by Apple and enabled by firmware update from Apple.

      If their hardware cert process is as smooth as their App Store process, they’ll be effectively locking out all but the biggest manufacturers and thunderbolt as a platform will be stifled.

      Bummer.

  4. Thanks for the heads up!

    I put a glob of epoxy over each of the screws on my laptop and glued a thunderbold plug into the jack and broke it off. Now I feel much safer.

      1. USB doesn’t have direct memory access to the “core” of the system like Thunderbolt and Firewire before it, though. TB and FB are like external PCI access: maximum possible speed with minimal overhead.

          1. I didn’t dismiss the fact USB can hijack a computer, just that (by design anyway, unless it’s changed recently) USB is not supposed to be direct-linked to system memory the way TB, FW and PCI are.

            Granted it’s a meaningless distinction for non-technical users, the same way trojan horses technically aren’t viruses. Both are malware of course.

            Obviously there are serious flaws in USB from the more benign (no signed device IDs needed, which let Palm spoof their devices as iPods) to the very serious (USB devices attacking connected devices), that need to be addressed.

  5. This headline is really over the top drama over nothing. Physical access to anyone’s computer is hard in itself. Breaking into a password protected Admin password isn’t an easy task either. And whomever would have to know you really well to even want to attempt something like this. Really comes down to the 007 spy stuff which 99.9% of us are not going to be effected. Yes it maybe possible but Windows machines would be more easily effected than any Macs out there. Try making up B.S. about them because this story is really bad!

    1. It still in noteable in that it may result in people being more careful of the origins of the peripherals they purchase for their Macs. It is entirely possible for the users to do it themselves without any knowledge by buying ‘infected’ hardware.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.