Researchers Create First Firmware Worm that Able to Infect Macs, Even Without Internet

Researchers Create First Firmware Worm that Able to Infect Macs, Even Without Internet

When it comes to PCs, Apple computers have always been touted as more secure than other PCs. Especially when it comes to security, their firmware couldn’t be penetrated. But that will not be true anymore, as a newly created self-replicating worm has shown.

Wired reports that two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. They have demonstrated a proof-of-concept worm for the first time. The researchers calling “Thunderstrike 2,” that would allow a firmware attack to spread automatically from MacBook to MacBook. The attack is able to infect the BIOS of a Mac and can’t be removed by flashing the operating system or even replacing its hard drive. The attack can also spread across Macs even without a network connection.

The worm was created by Xeno Kovah, owner of firmware security consultancy LegbaCore, and Trammell Hudson, a security engineer with Two Sigma Investments.

These exploits are nearly impossible to detect because security software doesn’t scan the firmware and reinstalling the system doesn’t remove the problem. The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware.

Xeno Kovah said that this attack is really hard to detect, really hard to get rid of, and really hard to protect against something that’s running inside the firmware. For most users that’s really a throw-your-machine-away kind of situation. Most users and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code through a malicious web site and phishing email. Once on a Mac, the malware would then be on the lookout for any peripherals connected to the computer that contain option ROM of peripheral devices like Apple’s Thunderbolt to Gigabit Ethernet adapter. The worm would then spread to any other computer to which the adapter gets connected.

Xeno Kovah said that this sort of vulnerability could be exploited to infect machines across the globe by selling infected ethernet adapters on eBay, or infect them in a factory.

“People are unaware that these small cheap devices can actually infect their firmware,” says Kovah. “You could get a worm started all around the world that’s spreading very low and slow. If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”

Kovah likens to add that this sort of exploit is how Stuxnet spread to Iran’s uranium enrichment plant at Natanz via infected USB sticks.

“Stuxnet sat around as a kernel driver on Windows file systems most of the time, so basically it existed in very readily available, forensically-inspectable places that everybody knows how to check. And that was its Achille’s heel,” Kovah says.

Hardware makers could guard against firmware attacks if they cryptographically signed their firmware and accompanying updates. And that will be added authentication capabilities to hardware devices to verify these signatures. However, hardware makers aren’t implementing these changes because it would require re-architecting systems entirely. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kinds of attacks.

“Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware,” Kovah notes. “Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security.”

For more information: Researchers create first firmware worm that attacks Macs [Wired]

Image credit: Pixabay