Apple thunderstruck by firmware worm

If there is one big advantage of owning a Mac, it’s that they aren’t targeted with viruses and malware with the same regularity as Windows devices. While users of Microsoft’s software see antivirus and malware detectors as a necessity, it’s likely that they barely raise a blip on a Mac user’s radar.

In fact, for a while, Apple traded on the fact that its computers didn’t get viruses. So there may have been a few wry smiles at the news that Macs are potentially vulnerable to a bug that spreads through infected hardware. The work of white hat researchers, the vulnerability and the resulting worm has caused some hysteria online, and has shaken the belief that Apple’s security is almost impenetrable.

What is it?

Thunderstrike 2 is a firmware worm. It targets the core firmware of the machine, which you might know better as the BIOS, UEFI or EFI. This is a low level code responsible for booting your computer and launching the operating system, whether it is Windows or OS X. It’s a set of instructions for your computer that tells it how to boot up, where to find different elements and what to do once it’s woken.

“It’s half way between software and hardware,” says Dermot Williams of Threatscape. “It’s the software that’s built into the hardware.”

Researchers found a series of vulnerabilities that affected PCs and Macs, allowing malicious code to be inserted into the firmware despite protections put in place by hardware makers to try to prevent it.

The original Thunderstrike was discovered earlier this year, but required physical access to a machine to infect it, making it a little more difficult to spread the worm.

So how does this one spread?

Unlike the common virus that uses infected files in email, websites or USB drives to spread itself from machine to machine, Thunderstrike 2 can also use your Mac accessories. It can be spread remotely, delivered to your Mac initially through an infected website or a phishing email, but once it takes hold, it can spread to your Mac’s accessories, and after that, make the leap to any Mac that the accessory is connected to. The ones at risk use Option ROM.

Option ROM?

Option ROM is like an extension to your system’s BIOS. But it’s probably easier to talk about actual products, for example, the Thunderbolt ethernet adaptor that Apple users may have. That contains Option ROM and so is, in theory, vulnerable to the worm. Once that’s infected, it can infect another Mac that it is connected to, and the cycle continues.

What does it actually do?

Once Thunderstrike has taken hold, it could give attackers root level access to a machine, giving them control of it without you being aware. They could in theory run additional attacks on your machine. Security consultant Brian Honan says attacks like this are typically a beachhead, that allows malicious users to take more control over your system through additional malware.

Is Thunderstrike 2 a big deal?

Yes and no. It sounds frightening. What makes Thunderstrike such a problem is not only how it spreads, but also that it’s undetectable. Because it’s a firmware worm, it isn’t usually picked up by antivirus software, and can survive a complete system reinstallation. But the vulnerability is still at the proof of concept stage, and there’s nothing to suggest that it’s out in the wild.

The worm was created by researchers who have been demonstrating why this is a problem. If someone does exploit it before Apple can patch it though, that would be something to worry about.

Who is at risk?

Any Mac that has shipped with a Thunderbolt port could, in theory, be susceptible. It could even infect computers that have never been connected to the internet, thanks to the ability to spread via Thunderbolt accessories.

How easy is it to get rid of?

Thunderstrike is hard to remove once it has taken hold. Researchers say the only way to do it is to reset the chip. That’s way outside the expertise of most users.

How can I protect myself?

Be careful what websites you visit, don’t download or open attachments you don’t trust, and don’t plug accessories in that you aren’t sure about. Keeping your operating system up to date is a good move; when Apple patches the remaining vulnerabilities – and it plans to do it as soon as possible according to reports – you’re going to want to install the updates. When it comes to buying accessories, only buy Thunderbolt devices from trusted sellers.

What is Apple doing about it?

There are reports that the company is patching the vulnerability as quickly as possible, and in the meantime, it will be keeping an eye on developers and apps to make sure they aren’t exploiting the flaw. Apple has also patched one previously known flaw, and partially fixed another. What is recommended is that manufacturers using EFI implement some controls such as cryptographically signing the Option ROMS.

Anything else I should know?

The vulnerability is specifically aimed at computers rather than smartphones and iPads.

Windows users don’t escape unscathed, as the bug also affects their systems. The original vulnerabilities were discovered in about 80 per cent of top PC brands. But some PC makers, including Dell and HP, have already implemented security measures that prevent the worst of the effects. “It highlights that there is no such thing as 100 per cent security, and all manufacturers will have to up their game when it comes to security,” said Honan.