Macs vulnerable to virtually undetectable virus that "can't be removed"

A security researcher has discovered a way to infect Macs with malware virtually undetectable, that 'can't be removed,' and which can be installed using a modified Apple gigabit Ethernet Thunderbolt adapter.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor
Trammell Hudson

A security researcher has discovered a way to infect Macs with malware virtually undetectable and that 'can't be removed.'

The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.

Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks.

"A few years ago we were considering deploying MacBooks and I was asked to use my reverse engineering experience to look into the reports of rootkits on the Mac to see if it was possible to patch the firmware to be secure against them," wrote Hudson in a summary of the vulnerability.

After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system's Thunderbolt port.

"It turns out that the Thunderbolt port gives us a way to get code running when the system boots," Wrote Hudson. "Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run."

Hudson discovered that he could use a modified Apple gigabit Ethernet Thunderbolt adapter to carry out the attack.

"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.

And once it is on your system, it is incredibly hard to remove.

"It can't be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won't remove it. Replacing the SSD won't remove it since there is nothing stored on the drive."

"The classic 'evil-maid' attacks also are feasible. Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption," explains Hudson. "So while you are getting breakfast at the hotel during a conference and leave the machine in your room and house-cleaning comes by to make up the bed, install the firmware backdoors, and replace the towels."

According to Hudson, Thunderstrike "is effective against every MacBook Pro/Air/Retina with Thunderbolt."

Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.

One defense against this would be to paint over the case screws with glitter nail polish and take close-up photos of the seal you created. The glitter in the nail polish sets into a random pattern that would be impossible to replicate, and as long as you keep the photos safe, you can make sure they screws haven't been messed with.

Trammell Hudson

See also:

Editorial standards