Subscribe

Remotely-transmitted 'disease' comes to Mac

Lauren Kate Rawlins
By Lauren Kate Rawlins, ITWeb digital and innovation contributor.
Johannesburg, 05 Aug 2015
A newly-created worm, Thunderstrike 2, can spread between MacBooks undetected without a network connection.
A newly-created worm, Thunderstrike 2, can spread between MacBooks undetected without a network connection.

At the Black Hat security conference in Las Vegas tomorrow, security researchers Xeno Kovah and Trammell Hudson will demonstrate a worm that allows for a firmware attack on Apple computers.

Thunderstrike 2 (the sequel to Thunderstrike) can spread between MacBooks undetected without a network connection.

"[The attack is] really hard to detect, it's really hard to get rid of, and it's really hard to protect against something that's running inside the firmware," Kovah told Wired. "For most users that's really a throw-your-machine-away kind of situation. Most people and organisations don't have the wherewithal to physically open up their machine and electrically reprogram the chip."

This video, by Kovah and Hudson, explains how Thunderstrike 2 works.

An attacker could remotely infect a Mac by sending the attack code via a phishing e-mail and malicious Web site. The virus would then infect any peripheral device connected to the computer and infect the firmware on those. Thereafter, any computer that device is connected to would get infected.

Firmware is programming written to the read-only memory of a computing device. Firmware, which is added at the time of manufacturing, is used to run user programs on the device. It is used to launch the operating system and typically exists outside of it, therefore is skipped by scanners.

Last year, a series of firmware vulnerabilities that affected both PCs and Macs were uncovered by Kovah and Corey Kallenberg, co-founders of LegbaCore. Some vulnerabilities were patched when Apple was notified, but not all. Thunderstrike 2 was designed to take advantage of the remaining vulnerabilities.

Apple has yet to respond to Thunderstrike 2.

In early 2012, the Flashback virus exposed a security flaw in the Java Web platform on Apple computers. The virus was dubbed the largest and most sophisticated attack on Macs to date. The virus spread rapidly by downloading itself onto the Macs, giving hackers remote access to the targeted computers - providing them with access to users' personal and banking data.

Following the Flashback attack on Apple, CEO and co-founder of Kaspersky Lab, Eugene Kaspersky, was widely quoted as saying: "Apple is 10 years behind Microsoft in terms of security."

Share