Researchers demonstrate firmware attack targeting Macs

Security researchers to demonstrate undetectable 'Thunderstrike 2' attack against Apple firmware

Apple enthusiasts will often smugly tell you that their choice of personal computer is much more secure than any desktop or laptop running a Microsoft Windows operating system.

However, two security researchers will this week showcase an attack that targets Apple Mac firmware using several known vulnerabilities that also affect many top PC makers. The researchers, Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments, will present their attack at the Black Hat conference this week.

The worm they built as a proof-of-concept can automatically transfer from MacBook to MacBook, even if they're not connected together via a network, and is so damaging it essentially prevents the machine from being used unless the chip containing the malware is re-flashed. It builds on work they did earlier this year in an attack they dubbed Thunderstrike.

Some of those flaws were patched in June, but some remain, warn the researchers. "[The attack is] really hard to detect, it's really hard to get rid of, and it's really hard to protect against something that's running inside the firmware," Xeno Kovah, one of the researchers who designed the worm told Wired.

"For most users, that's really a throw-your-machine-away kind of situation. Most people and organisations don't have the wherewithal to physically open-up their machine and electronically re-program the chip."

If the attack had been deployed by hackers, not security researchers, it would enable cyber criminals to remotely target machines without ever being detected by anti-virus or other security software tools. The attacker could still maintain a grasp of the infected PC, even if firmware or operating system updates were applied.

Earlier this year, it was revealed how Apple iPhones and Mac OS PCs have been running with a serious security vulnerability for almost nine months, despite security researchers warning Apple of the zero-day flaw.

Meanwhile, another exploit on Apple Macs could enable attackers to create a permanent back door.

In his blog, Hudson writes: "Thunderstrike 2 was partially fixed as part of Mac EFI Security Update 2015-001 in June 2015 (VU#577140, CVE-2015-3692). The issues that we identified that are still unpatched have been disclosed to Apple and will be discussed at the conference."