A few weeks ago, security researcher Trammell Hudson discovered a vulnerability in Apple’s low-level firmware that could allow a rogue Thunderbolt device to flash its own code to a Mac’s boot ROM. This type of bootkit, dubbed “Thunderstrike” since it relies on Thunderbolt IO as an attack vector, would be very difficult to remove or even detect.
Back in 2011, Apple introduced Thunderbolt, a new I/O technology co-developed with Intel that promised speeds way faster than existing technologies like USB and FireWire. Since then, Thunderbolt has come standard on all Macs, enabling support for high-performance peripherals like Apple’s Thunderbolt Display.
However, security researcher Trammell Hudson has discovered a vulnerability in Apple’s EFI that can allow a malicious Thunderbolt device to flash its own code to the boot ROM (read-only memory). This type of low-level malware, called a “bootkit,” would be very difficult to remove or even detect. Hudson has developed a proof of concept bootkit [...]