Attention Mac Users: New Firmware Worm Attacks Macs
Mac users, long accustomed to believing their software is better protected from malware than PCs, take heed: researchers have developed a worm that can spread from one MacBook to another, even when not networked, according to Wired. The researchers also found that certain PC firmware vulnerabilities can also affect Macs.
Xeno Kovah, owner of LegbaCore, a firmware consultancy, and Trammel Hudson, a security engineer at Two Sigma Investments, will present their findings Aug. 6, 2015 at the Black Hat security conference in Las Vegas.
Worm Escapes Security Scanners
The worm could allow someone to remotely target computers and escape security scanners. The attack would have a persistent foothold on a system, even through firmware and operating system updates.
The user would need to re-flash the chip containing the firmware to remove the embedded malware.
“(The attack is) really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” said Kovah. “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”
Firmware Has Vulnerabilities
Firmware, software that launches a computer’s operating system, is vulnerable to malware since most hardware manufacturers don’t cryptographically sign the embedded firmware or firmware updates. Nor do they usually include authentication functions to prevent illegitimate firmware from being installed.
It is not easy for users to examine firmware to see if it has been altered. Malware can also maintain a hold on a system throughout attempts to disinfect it.
Kovah and his Legbacore partner, Corey Kallenberg, last year discovered firmware vulnerabilities that affected 80 percent of PCs they examined from Dell, Lenovo, Samsung and HP.
Kovah and Hudson then decided to examine Apple firmware. They found they could write untrusted code to the MacBook boot flash firmware.
They found that five of six vulnerabilities affected Mac firmware.
Kovah and Hudson then notified Apple, which patched one vulnerability and partially patched another, but three vulnerabilities remain unpatched.
Researchers Develop ‘Thunderstrike 2’
The researchers then designed a worm called Thunderstrike 2 using the remaining vulnerabilities. Thunderstrike 2 can spread among MacBooks undetected and remain hidden since it doesn’t touch the operating system or file system.
The exploit is especially troubling since a phishing email or click on a link on a malicious site could compromise a computer, noted Roberto Baldwin, writing in Endgadget. “This is in addition to the exploit shown last year that was spread by the ROM of infected external drives and accessories like a Thunderbolt to ethernet adapter.”
Baldwin further noted that this is the second Thunderstrike exploit targeting Macs. The first version was fixed with OS X 10.10.2 and required the hacker to have physical access to the computer. “This new version is more nefarious because the malware can be delivered via a link. The latest OS X security update (10.10.4) seems to keep the exploit from taking hold.”
“Still, vulnerabilities like this are a reminder that companies should be encrypting all the elements of a machine to reduce the chance of their customers getting hacked in the first place.”