Researchers demonstrate proof of concept for firmware worm that can directly target Macs

Posted by:
Date: Monday, August 3rd, 2015, 16:00
Category: Hack, MacBook, MacBook Air, MacBook Pro, News, security, Software


It’s generally been accepted that Apple’s computers are much more secure than their Windows PC counterparts.

This isn’t entirely true, as a part of researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of Macs. The researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.

The attack, if carried out successfully, would allow someone to gain a foothold through both the firmware and operating system, the presence of malware in the firmware potentially blocking new updates from being installed or simply write itself to a new update as it’s installed.

The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware.

[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” says Xeno Kovah, one of the researchers who designed the worm. “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

The Mac firmware research was conducted by Kovah, owner of LegbaCore, a firmware security consultancy, and Trammell Hudson, a security engineer with Two Sigma Investments. They’ll be discussing their findings on August 6 at the Black Hat security conference in Las Vegas.

Last year, Kovah and his partner at Legbacore, Corey Kallenberg, uncovered a series of firmware vulnerabilities that affected 80 percent of PCs they examined, including ones from Dell, Lenovo, Samsung and HP. Although hardware makers implement some protections to make it difficult for someone to modify their firmware, the vulnerabilities the researchers found allowed them to bypass these and reflash the BIOS to plant malicious code in it.

Kovah, along with Hudson, then decided to see if the same vulnerabilities applied to Apple firmware and found that untrusted code could indeed be written to the MacBook boot flash firmware. “It turns out almost all of the attacks we found on PCs are also applicable to Macs,” says Kovah.

They looked at six vulnerabilities and found that five of them affected Mac firmware. The vulnerabilities are applicable to so many PCs and Macs because hardware makers tend to all use some of the same firmware code.

In the case of at least one vulnerability, there were specific protections that Apple could have implemented to prevent someone from updating the Mac code but didn’t.

They notified Apple of the vulnerabilities, and the company has already fully patched one and partially patched another. But three of the vulnerabilities remain unpatched.

There have been examples of firmware worms in the past—but they spread between things like home office routers and also involved infecting the Linux operating system on the routers. Thunderstrike 2, however, is designed to spread by infecting what’s known as the option ROM on peripheral devices.

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.

In a demo video Kovah and Hudson showed WIRED, they used an Apple Thunderbolt to Gigabit Ethernet adapter, but an attacker could also infect the option ROM on an external SSD or on a RAID controller.

No security products currently check the option ROM on Ethernet adapters and other devices, so attackers could move their worm between machines without fear of being caught. They plan to release some tools at their talk that will allow users to check the option ROM on their devices, but the tools aren’t able to check the boot flash firmware on machines.

It’s said that the work could target air-gapped systems that can’t be infected through network connections and could be infected through Ethernet adapters or infected USB sticks.

Hardware makers could guard against firmware attacks if they cryptographically signed their firmware and firmware updates and added authentication capabilities to hardware devices to verify these signatures. They could also add a write-protect switch to prevent unauthorized parties from flashing the firmware.

Stay tuned for additional details as they become available.

If you’re worried about this infecting your computer, please read through the source article and its collection of useful comments and feedback, remember that this is just a proof of concept at this point and gather as much information as you can. It’s a frightening tech world out there, but if you stay informed, you can keep your head above water and continue using and enjoying your Mac.

Via Wired

Recent Posts