Researchers have created a worm that can infect Mac firmware

A few months ago, researcher Trammel Hudson created an exploit called Thunderstrike that could infect Mac computers through devices connected via the Thunderbolt connector. When new devices were connected to an infected computer, the worm was recorded on them, thus other machines were also at risk.

Apple fixed a vulnerability in OS X version 10.10.2, however, as reported by Wired, Hudson and another security researcher Xeno Kovah developed a new version of the exploit and published a bootkit and a worm that infects Mac computers.
')


Like its predecessor, Thunderstrike 2 spreads mainly through infected Thunderbolt devices. However, unlike the first version of the worm, the attacker now does not need physical access to the computer to launch an attack.

According to the researchers, malicious software can get on the computer using a "phishing email message or a special website." After hitting the computer, the worm infects devices that are used to connect Option ROM (for example, a Thunderbolt adapter and Gigabit Ethernet, an external SSD, or even a RAID controller). After the worm is written to the device, it can attack any Mac to which it will be connected.

The main danger of malware operating at the firmware level is that currently anti-virus software and other security tools focus on working with RAM and files stored on the computer. Therefore, a worm like Thunderstrike 2 is extremely difficult to detect. At the same time, the specificity of the attack makes it possible to implement it even for devices not connected to the Internet, says Kova:

Suppose you have a plant for the production of centrifuges for the processing of uranium, which, of course, is not connected to any networks. But people bring their laptops or external drives and, perhaps, connect them to the internal network via Ethernet to transfer data. In these SSDs there is Option ROM, which could potentially be infected. If we are talking about a well-protected network, then WiFi is hardly used there, everything is connected via Ethernet adapters. They also have Option ROM, the firmware of which may be infected.

The researcher recalls the famous Stuxnet worm, which attacked Iranian nuclear facilities and spread using USB flash drives (we published a study of the vulnerabilities of industrial control systems ). At that time, the attackers exploited the zero-day vulnerabilities in Windows, which left specialists with ways to track the attack. “Everyone knows where to look in such cases,” says Kova. But the worm in the firmware is another matter, because the firmware itself controls what the operating system sees in it (which means that the worm can intercept the corresponding requests and issue “clean” copies of the code in response).

Manufacturers of firmware could increase the security of their products if they began to cryptographically sign software and its updates, in addition, devices working with this firmware should be able to verify these signatures. In addition, the read / write “switch” would not hurt to prevent unauthorized overwriting of the firmware. However, this will help protect against lone hackers, but not from specialists working for powerful special services (who can simply steal the master key of the software manufacturer and sign their malicious code with it). Earlier in the press got the information that the active work on cracking various firmware is the US National Security Agency.

Researchers offer manufacturers to add the ability to check the checksum, which would show whether the software has changed after installation on the computer. However, vendors are unlikely to do something similar, since such innovations will require significant changes in the architecture of systems, and users at the moment have not thought about what to think and about the security of firmware.

In 2014, Cova and his Legbacore colleague Corey Kallenberg discovered a number of firmware vulnerabilities that affect up to 80% of all PCs (including Dell, Lenovo, Samsung and HP products). Subsequently, the researchers found that similar attacks can be carried out on Mac computers.