Apple thunderstruck by firmware worm

If there is one big advantage of owning a Mac, it's that they aren't targeted with viruses and malware with the same alarming regularity as Windows devices. While users of Microsoft's software see antivirus and malware detectors as a necessity, it's likely that they barely raise a blip on a Mac user's radar. In fact, for a while, Apple traded on the fact that its computers didn't get viruses.

So there may have been more than a few wry smiles at the news that Macs are potentially vulnerable to a bug that spreads through infected hardware.

The work of white hat researchers, the vulnerability and the resulting worm has caused some hysteria online, and has shaken the belief that Apple’s security is almost impenetrable.

What is it?

The catchily named Thunderstrike 2 is a firmware worm. Specifically, it targets the core firmware of the machine, which you might know better as the BIOS, UEFI or EFI. This is a low level code responsible for booting your computer and launching the operating system, whether it is Windows or OS X. Essentially, it’s a set of instructions for your computer that tells it how to boot up, where to find different elements and what to do once it’s woken.

“Its half way between software and hardware,” explained Dermot Williams, Threatscape. “It’s the software that’s built into the hardware.”

Researchers found a series of vulnerabilities that affected PCs and Macs, allowing malicious code to be inserted into the firmware despite a series of protections put in place by hardware makers to try to prevent it.

The original Thunderstrike was discovered earlier this year, but required physical access to a machine to infect it, making it a little more difficult to spread the worm.

So how does this one spread?

Unlike the common or garden virus that uses infected files in email, websites or USB drives to spread itself from machine to machine, Thunderstrike 2 can also use your Mac accessories. It can be spread remotely, delivered to your Mac initially through an infected website or a phishing email, but once it takes hold, it can spread to your Mac’s accessories, and then after that, make the leap to any Mac that the accessory is connected to. The ones at risk use Option ROM.

Option ROM? Never heard of it.

Option ROM is like an extension to your system’s BIOS. But it’s probably easier to talk about actual products, for example, the Thunderbolt ethernet adaptor that Apple users may have. That contains Option ROM and so is, in theory, vulnerable to the worm. Once that’s infected, it can infect another Mac that it is connected to, and the cycle continues.

What does it actually do?

Once Thunderstrike has taken hold, it could give attackers root level access to a machine, giving them control of it without you even being aware it has been infected. They could in theory run additional attacks on your machine. Security consultant Brian Honan says attacks like this are typically a beachhead, that allows malicious users to take more control over your system through additional malware.

Is Thunderstrike 2 a big deal?

Yes and no. It certainly sounds frightening. What makes Thunderstrike such a problem is not only how it spreads, but also the fact that it’s undetectable. Because it’s a firmware worm, it isn’t usually picked up by antivirus software, and it can survive a complete system reinstallation.

However, the vulnerability is still at the proof of concept stage, and there’s nothing to suggest that it’s out in the wild. The worm was created by researchers who have been demonstrating why this is a problem. If someone does exploit it before Apple can patch it though, that would be something to worry about.

“It’s a research project but now the information is out there, criminals and other people could potentially start looking at this,” said Honan.

Who is at risk?

Any Mac that has shipped with a Thunderbolt port could, in theory, be susceptible. It could even infect computers that have never been connected to the internet, thanks to the ability to spread via Thunderbolt accessories.

How easy is it to get rid of?

Good question. Thunderstrike is hard to remove once it has taken hold. A system reboot won’t shift it, nor will reinstalling the operating system. Researchers say the only way to do it is to reset the chip. That’s way outside the expertise of most users.

What do I do to protect myself?

The old advice, often repeated, still works. Be careful what websites you visit, don’t download or open attachments you don’t trust, and don’t plug accessories in that you aren’t completely sure about.

Keeping your operating system up to date is also a good move; when Apple patches the remaining vulnerabilities – and it plans to do it as soon as possible according to the latest reports – you’re going to want to install the updates.

When it comes to buying accessories, only buy Thunderbolt devices from trusted sellers. And if something seems a really great deal, proceed with caution. If it seems too good to be true, it probably is.

What is Apple doing about it?

There are reports that the company is patching the vulnerability as quickly as possible, and in the meantime, it will be keeping an eye on developers and apps to make sure they aren’t exploiting the flaw.

Apple has also patched one previously known flaw, and partially fixed another.

What is recommended is that manufacturers using EFI implement some controls such as cryptographically signing the Option ROMS. That would prevent code being run without a valid signature.

Anything else I should know?

The vulnerability is specifically aimed at computers rather than smartphones and iPads.

Windows users don’t escape unscathed, as the bug also affects their systems. The original vulnerabilities were discovered in about 80 per cent of the top PC brands. However, some PC makers, including Dell and HP, have already implemented security measures that prevent the worst of the effects.

“It highlights that there is no such thing as 100 per cent security, and all manufacturers will have to up their game when it comes to security,” said Honan.