Researchers have created a worm that can infect Mac firmware

A few months ago, researcher Trammel Hudson created an exploit called Thunderstrike that could infect Mac computers through devices connected via the Thunderbolt connector. When new devices were connected to the infected computer, the worm recorded on them, and thus other machines were also endangered.

Apple fixed the vulnerability in OS X version 10.10.2, however, according to Wired, Hudson and another security researcher, Xeno Kovah, developed a new version of the exploit and published a bootkit and worm that infects Mac computers.



Like its predecessor, Thunderstrike 2 is distributed mainly through infected Thunderbolt devices. However, unlike the first version of the worm, an attacker no longer needs physical access to a computer to conduct an attack.

According to researchers, malicious software can get to your computer using a "phishing email message or a special site." After entering the computer, the worm infects the devices that use Option ROM to connect (for example, the Thunderbolt adapter and Gigabit Ethernet, an external SSD or even a RAID controller). After the worm is written to the device, it can attack any Mac to which it is connected.

The main danger of malware operating at the firmware level is that currently anti-virus software and other security tools focus on working with RAM and files stored on a computer. Therefore, a worm like Thunderstrike 2 is extremely difficult to detect. At the same time, the specificity of the attack makes it possible to carry out it even for devices not connected to the Internet, says Cova:

Suppose you have a centrifuge plant for the processing of uranium, which, of course, is not connected to any networks. But people bring their laptops or external drives, and possibly connect them to the internal network via Ethernet to transfer data. These SSDs have an Option ROM that could potentially be infected. If we are talking about a well-protected network, then WiFi is hardly used there, everything is connected via Ethernet adapters. They also have Option ROM, the firmware of which may be infected.

The researcher recalls the famous worm Stuxnet, which attacked Iranian nuclear facilities and spread using USB sticks (we published a study of vulnerabilities in industrial control systems ). At that time, the attackers used zero-day vulnerabilities in Windows, which left specialists with ways to track the attack. “Everyone knows where to look in such cases,” says Cova. But the worm in the firmware is a different matter, because the firmware itself controls what the operating system sees in it (which means that the worm can intercept the corresponding requests and issue “clean” copies of the code in response).

Firmware manufacturers could increase the security of their products if they began to cryptographically sign software and its updates, in addition, devices working with this firmware should be able to verify these signatures. In addition, a read / write switch would not hurt to prevent unauthorized flashing of the firmware. However, this will help protect against single hackers, but not from specialists working for powerful intelligence agencies (who can simply steal the master key of the software manufacturer and sign their malicious code with it). Earlier, the press got information that the US National Security Agency was actively working on hacking various firmware.

Researchers are proposing to manufacturers to add the ability to check a checksum, which would show whether the software has changed after installation on a computer. However, vendors are unlikely to do something similar, since such innovations will require significant changes in the architecture of the systems, and users at the moment have not yet thought about what they need to think about the security of firmware.

In 2014, Kova and his Legbacore colleague, Cory Kallenberg, discovered a number of firmware vulnerabilities that affect up to 80% of all PCs (including Dell, Lenovo, Samsung, and HP products). Subsequently, the researchers found that similar attacks can be carried out on Mac computers.