Skip to main content

Security researchers build on PC vulnerabilities to create first firmware-based Mac worm

While Apple generally puts a lot of effort into making sure that Macs remain virus-free and secure, a duo of researchers, Xeno Kovah and Trammell Hudson, have discovered that many PC firmware vulnerabilities also affect Macs, leaving Apple’s hardware open to attacks on the firmware that can survive OS X reinstallation and system wipes.

In fact, the researchers found that of the six vulnerabilities they tested on PCs from various manufacturers, all but one also affected Macs.

As noted above, firmware worms can survive on a system even after the computer has been fully erased and the operating system has been completely reinstalled. This is because, unlike OS X and viruses that attack on the software level, malicious software that infects a machine’s firmware are attached to specific hardware components.

Since computers can’t function without some sort of instructions telling the hardware what to do, machines rely on their firmware to tell them what to do in the event that there’s no operating system currently running. That could mean that the computer hasn’t fully booted up yet, or has been erased and has no software to run. The firmware is never erased and isn’t located on the hard drive, ensuring that the computer will always have instructions on how to run even without an operating system.

In the event that the firmware is updated, the existing version of the firmware has to guide the computer through the process of installing that update, meaning infected firmware could prevent an update from repairing the damage. That’s why firmware attacks are so tricky: they infect one of the most important parts of the computer, and have enough power to keep the system from fixing the problem.

These types of attacks can also be almost impossible to detect. Once they are detected, however, there’s little that can be done to get rid of them short of completely reflashing the affected firmware or buying a new computer.

Firmware attacks are possible because many computer manufacturers put few safeguards in place to prevent malicious updates or changes, leaving many computers vulnerable. According to Wired, Apple could have put protections in place to prevent at least one type of attack discovered by the research group, but apparently elected not to.

Once a Mac has been infected, it can spread the malicious firmware to additional machines through attached peripherals, spreading even to systems that are otherwise completely disconnected from other computers.

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.

One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.

Ethernet adapters aren’t the only external devices that can be used to spread the infection. Kovah noted that many SSDs and storage devices have hardware that can be used to transfer the malware from one machine to another.

Since the discovery and disclosure of these attacks to Apple, the team says one has been fixed and another has been partially closed, although unfortunately the other three are still present in the current Mac firmware. The open vulnerabilities allowed the researchers to create a new version of the Thunderstrike vulnerability discovered late last year.

Details on the vulnerabilities will be discussed during the Black Hat conference later this week. The team says they plan to release tools at that time that allow users to check connected peripherals for infection, but unfortunately technical limitations prevent them from checking the machine itself for an issue.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. 89p13 - 9 years ago

    As much as this is upsetting – NOTHING is 100% safe. If it connects to one other device, has a disk drive or any other I/O device – It Is Vulnerable! It’s just how much trouble is it and how careful are the users?

    Damn the Interwebs! ;)

  2. MarkByron Falta - 9 years ago

    So the worms magically attach themselves to specific hardware components – what magic makes that happen? This article is the classic example of FUD because it only sensationalizes the scary problem without any specifics to how it happens or even the risk.

  3. Leif Paul Ashley - 9 years ago

    They could, it could, it’s possible… yea anything is possible. A hacker could make it explode in your face and as we’ve seen on Star Trek, that’s fatal. I’m selling face shields for this on Amazon by the way.

    I can’t believe these guys attached their names to this… come back when could turns to can.

  4. godrifle - 9 years ago

    Christ, can you write a headline that puts the onus squarely on Apple for once? Holding their feet to the fire might go a long way to pushing Apple to be better than they are.

  5. paulywalnuts23 - 9 years ago

    Guess what, patches are coming, Cult of Mac reports. I only say that as I don’t anticipate that 9to5 will write anything about it.