“Thunderstrike 2” attacks Apple computers’ firmware
04 Aug 2015
A presentation at the Black Hat conference scheduled for later this week would reveal an improved attack on the firmware in Apple computers making them vulnerable to hard-to-detect malware without even being connected to a network.
According to commentators, the new research highlighted ongoing weaknesses in the low-level software every computer runs prior to the loading of an operating system.
Researchers Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments showed earlier this year how a Mac's firmware could be infected with malware by connecting malicious devices to them using Thunderbolt, Apple's high-speed data transfer interface.
The attack has been named Thunderstrike.
They would unveil Thunderstrike 2, on Thursday, an attack that improved on the former since it was capable of spreading to other machines through removable peripherals.
Their attack would use a number of vulnerabilities in firmware used by Apple. The company patched several flaws in June, but some remained, according to Hudson's blog.
In theory, malware should not be able to be modified or rewritten, and malware that sat within firmware was especially dangerous since security products do not check firmware and users would therefore not have any idea that it had been tampered with.
Hudson said while his proof of concept was deliberately noisy, displaying a logo during boot, a real attack could be launched surreptitiously through virtualisation or system management mode.
Once installed Thunderstrike in the boot flash, it was"very difficult" to remove as it controlled the system from the first executed command. It was not removable with even reinstallation of the operating system or even with replacing the hard drive.
The infection of new Thunderbolt peripheral devices meant a potential victim might even infect a replacement laptop.
First revealed in January, Thunderstrike targeted option ROMs to load malware by replacing RSA keys in Mac extensible firmware interfaces (EFIs).
A partial fix was issued by Apple in the ensuing OS X patch run blocking it in version 10.10.2. Option ROM updates coupled with Boot Guard mitigations also slowed it down for attackers that lacked high levels of resources.
