Mac Malware: The First Firmware Malware for Mac
Mac OS has long been “accused” of being one of the two most secure operating systems, however today cyber security researchers have proved that Macs have some of the same vulnerabilities as their Windows adversary with a discovery of a new Mac Malware.
Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.
These researchers have previously used LightEater in order to reveal that more than 80% of PCs have firmware vulnerabilities. But now they created Thunderstrike 2 firmware malware allowing to remotely infect Apple computers.
Using Thunderstrike 2 cyber attackers can infect a target using malicious website or even a phishing email. On post-infection malware will automatically spread from one Macbook to another, while not requiring a network connection. Since Thunderstrike 2 is designed to spread by infecting ROM on peripherial devices, even air-gapped computers can be targeted remotely.
This exploit clearly shows that firmware, the software that boots before OS, does not have encryption and also it is not able to authenticate whether updates are coming from manufacturer or not.
The good example of the severity of this vulnerability is well shown in following case: Your company is running uranium refining centrifuge plant and you don’t have it connected to any networks, but people bring laptops into it and perhaps they share Ethernet adapters or external SSDs to bring data in and out. Those SSDs have option ROMs that could potentially carry this sort of infection. Perhaps because it’s a secure environment they don’t use WiFi, so they have Ethernet adapters. Those adapters also have option ROMs that can carry this malicious firm.
Well if you running an uranium refining plant you definitely want to to be ultimately secured and hardly exploitable.
The researchers say they have alerted Apple about the issue and according to the Wired article, the company has patched one exploit and partially patched another.