Apple's Mac computers can still be successfully attacked utilizing some of the firmware issues that have been plaguing many PCs on the Windows operating system, as demonstrated by a new proof-of-concept worm named Thunderstrike 2.
It was believed that the systems, in particular the firmware, of Mac computers are more secure compared to PCs. However, it seems that is not entirely the case.
Thunderstrike 2 looks similar to the first Thunderstrike, and likely uses similar attack vectors. Thunderstrike utilizes a security issue in the Thunderbolt ports of MacBooks to write custom code in the boot ROM of the computers. The malware can then be spread through different devices using the infected computer's internal Thunderbolt interface.
Thunderstrike 2 was developed by security researchers Xeno Kovah and Trammell Hudson, with Hudson also being the man that discovered the first Thunderstrike.
The target of Thunderstrike 2 is the option ROM on the Mac's peripherals such as SSDs and Ethernet adapters. The malware is spread simply by connecting a device infected with Thunderstrike 2 to a Mac computer, with the initial attack sent through a malicious website or email.
One of the major causes of concern for Thunderstrike 2 is that the malware can be automatically transferred between two Mac computers without the two being on the same network. Thunderstrike 2 is also not detectable by most software for the purpose of scanning malware, with the worm even being able to survive a reformat of the infected computer.
Once a Mac computer has been infected with Thunderstrike 2, the only way to remove the malware is to re-flash its firmware chips.
The code for Thunderstrike 2 is based on the research that was conducted by the LegbaCore consultancy of Kovah last year. The research was able to reveal possible exploits on the firmware of computers that were manufactured by big names such as Lenovo, HP and Dell.
According to Kovah, five out of the six discovered exploits had the potential to be the same for Mac computers, as computer manufacturers including Apple tend to use similar reference implementations in their products.
Apple has received notification of the issues and have already reportedly made a patch to fix one problem, while also partially sealing up a second vulnerability. It was not revealed whether the fixes also include the changes that were made upon the release of OSX 10.10.2 to be able to address the problems associated with Thunderstrike, or if the fixes were separately released updates.
Kovah and Hudson suggested that computer manufacturers should cryptographically sign firmware and upgrade the hardware that they create to allow for authentication processes. Write-protect switches could also improve the protection against malware such as Thunderstrike 2, as a tool to allow users to check if the firmware in their computers have been changed.
The security researchers will be presenting their findings at the Black Hat USA security conference, which will be held on Aug. 6.