New attack infects Macs in seconds, even without internet
Apple computers have always been touted as more secure than other PCs because their firmware couldn’t be penetrated. Unfortunately, that’s no longer true, as a newly created self-replicating worm has shown.
Wired reports that security researchers Xeno Kovah and Trammell Hudson demonstrated a proof-of-concept worm they’re calling Thunderstrike 2, that’s capable of infecting the BIOS of a Mac and can’t be removed by flashing the operating system or even replacing its hard drive.
Even scarier, the attack can spread across Macs without a network connection. By installing itself in the ‘option ROM’ on peripheral devices that you can plug into your Mac, like Apple’s Thunderbolt Ethernet adapter, it can then infect other computers that these accessories are connected to.
Kovah said that this sort of vulnerability could be exploited to infect machines across the globe by selling infected ethernet adapters on eBay, or by targeting an accessory shipment in a factory.
People are unaware that these small cheap devices can actually infect their firmware. You could get a worm started all around the world that’s spreading very low and slow. If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.
He added that this sort of exploit is worse than Stuxnet, the virus that hit Iran’s uraniun enrichment plant via flash drives. He said:
Stuxnet sat around as a kernel driver on Windows file systems most of the time, so basically it existed in very readily available, forensically-inspectable places that everybody knows how to check. And that was its Achille’s heel.
Hardware makers typically don’t cryptographically sign their firmware and accompanying updates, but doing so would add a layer of protection from such attacks. However, implementing such changes would require re-architecting systems entirely.
Kovah said, “Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware. Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security.”
As if that didn’t spell enough trouble for Apple, Ars Technica reports that hackers are exploiting a vulnerability in the latest version of OS X which lets them install malware without require users’ permission or passwords.
A research team from security firm Malwarebytes noted that it’s being used to install a variety of adware. Apple is yet to fix the bug.
We’ve contacted Apple to find out more and will update this post when we hear back.