Two security consultants have created a new computer worm, the Thunderstrike 2, that attacks the core hardware of a Mac computer once unleashed. The worm was designed to expose vulnerabilities in the once-assumed airtight security of Apple products. The worm works by attacking the computer’s firmware, the software that comes pre-installed and loads the operating system. Firmware provides control, monitoring and data manipulation in engineering products or systems.
The cybersecurity research work on the worm was carried out by Xeno Kovah, owner of LegbaCore, and Trammell Hudson, a security engineer with Two Sigma Investments.
According to the researchers, an attack can occur via a phishing email (an email sent from a fake “trusted institution” like a bank) or a malicious website containing the worm. Once activated, the malware would look out for any peripherals connected to the computer, such as an Ethernet adapter, which it would then infect. The worm could then spread to any other computer to which the adapter gets connected. Once connected, the worm writes malicious code to the firmware of the MacBook.
One way to randomly infect machines would be to sell infected Ethernet adapters on eBay, or infect them in a factory, Wired reported. “[The attack is] really hard to detect… it’s really hard to get rid of,” Kovah told Wired. “It’s really hard to protect against something that’s running inside the firmware…for most users that’s really a throw-your-machine-away kind of situation.”
Thunderstrike 2 can’t be removed with traditional anti-malware security program, either. It requires programming the computer’s chip.
Kovah and Kallenberg said that the worm was developed to showcase vulnerabilities in Apple devices. According to Vice, Apple has been notified has already fixed one type of vulnerability and partially patched another. Three are still unresolved.
Wired reported that last year Kovah and his partner at Legbacore, Corey Kallenberg, exposed firmware vulnerabilities that affected 80 percent of PCs they examined.
“It turns out almost all of the attacks we found on PCs are also applicable to Macs,” Kovah said at the time. Kovah said they looked at six vulnerabilities and found that five of them affected Mac firmware. Their discovery showed that hardware makers tend to all use some of the same firmware code.
“Most of these firmwares are built from the same reference implementations, so when someone finds a bug in one that affects Lenovo laptops, there’s a really good chance it’s going to affect the Dells and HPs,” said Kovah. “What we also found is there is really high likelihood that the vulnerability will also affect Macbooks. Because Apple is using a similar EFI (BIOS) firmware.”
The consultants will showcase the worm at the Black Hat security conference in Las Vegas on Thursday. The goal is to push tech companies to take security more seriously. Kovah said some vendors are active about removing vulnerabilities in their firmware but others are not.
“We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security,” Kovah told Vice News.