New Mac Malware Spreads Via Thunderbolt Ports

Both ends of an Apple Thunderbolt cable. Credit: AppleBoth ends of an Apple Thunderbolt cable. Credit: Apple

Thunder and lightning may not be so frightening, but new Mac malware that spreads via Thunderbolt devices sure is. Dubbed Thunderstrike by its creator, it's a bootkit that spreads from an malicious Thunderbolt-connected device and exploits known security flaws in Apple's EFI firmware to write itself onto the infected Mac's motherboard.

Not only is it nearly impossible to remove, but Thunderstrike can leap from the infected Mac to other Thunderbolt devices, which can then go out and infect yet more Macs. The good news: Thunderstrike was developed by a security researcher, Trammell Hudson, as a proof-of-concept, so it's very unlikely that criminals or attackers are using it or anything similar in the wild.

Thunderbolt ports are less common on non-Apple PCs, and most Windows machines made in the past few years use a later implementation of EFI, called UEFI, that wouldn't be vulnerable to this attack.

MORE: Best Mac Antivirus Software

A bootkit is a piece of malware that infects computers at a level below the operating system — it alters software or firmware involved in the startup or boot process before the main operating system, such as Windows or OS X, loads. From this advantaged position, the bootkit (and by extension the attackers controlling it) can alter or control almost all processes on a computer. 

Thunderstrike starts off as malicious firmware embedded in a Thunderbolt-connected device. Once plugged into a Mac, the malicious firmware alters the Mac's EFI boot firmware, analogous to the BIOS firmware on older PCs but much more complex. Because of uncorrected flaws in Apple's older version of EFI, the Thunderbolt firmware on the attached device can circumvent the cryptographic signature checks that are meant to make sure the EFI firmware receives only valid updates.

"This allows an attacker with physical access to the machine to write untrusted code to the SPI [serial peripheral interface] flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems," Hudson wrote on his blog.

Physical access to a targeted machine isn't as difficult as it sounds; a classic "evil maid" attack on a laptop left in hotel room would suffice.

The infected computer won't be able to receive further EFI updates from Apple, because the attacker has changed the locks on the door, so to speak. Apple updates are signed with a cryptographic key, but after Thunderstrike hits, only EFI updates signed with the attackers' own cryptographic key will fit the new lock. 

Once Thunderstrike infects a Mac, it's very difficult to eliminate. Even reinstalling the operating system or replacing the hard drive is not enough: only a in-system programming device can eliminate the rootkit and restore the motherboard's firmware to its properly functioning state.

Thunderstrike can also write itself to other Thunderbolt devices attached to the infected computer, which can in turn continue to spread the rootkit when plugged into other Macs.

"The [infected Thunderbolt] devices remain functional, which would allow a stealthy bootkit to spread across air-gap security perimeters through shared Thunderbolt devices," Hudson wrote.

Hudson will present his full findings at the Chaos Communication Congress security conference in Hamburg, Germany, on Dec. 29.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can email Jill at jscharr@tomsguide.com, or follow her on Twitter @JillScharrand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the MacBooks forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment