Apple MacBook Users, Meet Thunderstrike: New Nightmare Malware for You and Your Laptop

Anu Passary, Tech Times 10 January 2015, 07:01 am

Apple MacBook users are not safe from malware attacks anymore as a new security flaw in its thunderbolt ports may leave the laptops vulnerable.

The flaw in the ports enables the writing of a custom code in the MacBook's boot ROM.

Tramell Hudson, a security expert, has found a method by which it is possible to install malicious code on a built-in chip on MacBooks: Thunderstrike is the new nightmare for you and your laptop.

Thunderstrike cannot be detected, and there is no known method (unless one uses specialized hardware) available, which would eliminate the nearly impossible to remove malware. If there is an attempt to remove the hard disk, the malware will still remain.

How does the Thunderstrike malware work?

By using an infected host, hackers can install a rootkit via the flawed Thunderbolt port. The BIOS or firmware is targeted. Once the rootkit is installed, it is able to infect other devices using the internal Thunderbolt interface on the Mac. In this manner, the infection can spread between different devices.

Attackers are able to write untrusted codes onto the SPI flash ROM on the motherboard of the device. Currently, there are no available cryptographic firmware checks available when a device boots. Therefore, the malicious code is able to control the device from the initial instruction and manages to go undetected.

"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," noted Hudson.

Even if the OS is reinstalled, Hudson said, the malware will persist as the boot ROM is not dependent on the OS of a device. The only way to remove Thunderstrike is via another Thunderbolt device, which may restore the flash ROM to the original configuration.

Hudson revealed the proof-of-concept attack on MacBooks at the annual Chaos Communication Congress in December 2014 in Germany.

The damage caused by Thunderstrike is enormous. It can compromise the entire OS as it boots, log passwords and allow remote access to data, which is normally not accessible from the firmware.

According to Hudson, Apple is apparently pushing out a "partial fix" for the vulnerability, which will come as a firmware update. This update will not allow the malicious code to be written on the ROM in some scenarios.