Malware + Security & Privacy + Security News

Thunderstrike 2 Firmware Worm Proves Apple Needs a Bug Bounty

Posted on by

Thunderstrike 2

What’s that? Lightning never strikes in the same place twice?

Well, sometimes it does — and this time it’s just become much more dangerous.

Earlier this year, we described how Apple had patched a serious security hole in OS X called “Thunderstrike.”

What made Thunderstrike so nasty was that it could install malware onto your computer’s firmware — specifically the ROM EFI boot chip — and once in place could turn itself “invisible,” making it impossible to detect through anti-virus software, because of the extremely low level it was running at.

Once in place, malware could spy on you or steal information — and it was even capable of fending off removal attempts using firmware-flashing software.

The only silver lining on Thunderstrike’s cloud was that an attacker needed to infect your Mac, by plugging a boobytrapped Thunderbolt device into your Mac or Macbook — without physical access, the attacker wouldn’t be able to infect you.

Well, that was then and this is now.

With the newly unveiled Thunderstrike 2, things have taken a dramatic turn.

Trammell Hudson, the researcher who first revealed details of the original Thunderstrike, has teamed up with Xeno Kovah, to reveal a way in which a Mac’s firmware can be infected without physical access, from anywhere on the planet.

As Wired reports, researchers have even developed a proof-of-concept worm that allows the firmware attack to spread automatically between Macbooks, even if they are not networked to each other.

The attack raises the stakes considerably for system defenders since it would allow someone to remotely target machines—including air-gapped ones—in a way that wouldn’t be detected by security scanners and would give an attacker a persistent foothold on a system even through firmware and operating system updates.

You can see the Thunderstrike 2 firmworm in action in the following YouTube video:

The means to build a firmworm like this are certainly not within the capability of many attackers, but nonetheless it’s clearly important that Apple patches the security holes that allow such attacks to take place at the earliest possible opportunity — before a malicious attacker tries to take advantage of them.

There are some very smart people out there who are very good at finding vulnerabilities in Apple’s software.

The good news is that some of them aren’t in the business of exploiting the vulnerabilities for criminal commercial gain, and aren’t in the pocket of foreign governments and intelligence agencies.

Some of them genuinely want to improve security, and believe they are performing a valuable service by raising awareness of security vulnerabilities that really should be fixed.

Sure, some of these security researchers quite enjoy the limelight, and like to show off how clever they have been, and some of them might have very strongly held views about the quality of code being written in Cupertino, and Apple’s tardiness in patching.

But none of that matters to the millions of Mac and Macbook users around the world. They simply want to know that their systems are secure and not at risk. Apple has tried to close the security holes exploited in these firmware attacks in the past, and yet researchers keep finding more vulnerabilities.

The really bad news is that Apple isn’t doing enough to work with these researchers, and could be doing much more to ensure that their discoveries are only made public when a fix is available.

Other technology companies are offering sizeable bug bounties to researchers who work with them to uncover security holes, whereas Apple — one of the richest companies in the world — doesn’t even bother to dangle the carrot of a $10 iTunes voucher, preferring to name bug reporters on a “hall of fame” page instead.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →