A dangerous plague with no cure in sight
If your Mac is infected with malware as a result of a new vulnerability, security researchers say that there is no remedy. Even if you wipe your hard drive or reinstall OS X, your computer will be permanently infected, and the only cure is to throw away your hard drive.
In the past, Apple claimed that its Macs are not vulnerable to the known PC firmware attacks, but researchers claim that Thunderstrike 2 exposes MacBooks to similar vulnerabilities. Unlike the PC-based attacks, infections on a Mac “required physical presence to perform,” said researcher Corey Kallenberg and his team in a statement about the Thunderstrike 2 session at Black Hat.
“People hear about attacks on PCs and they assume that Apple firmware is better,” security researcher Xeno Kovah said in an interview with Wired. “So we’re trying to make it clear that any time you hear about EFI firmware attacks, it’s pretty much all x86 [computers].”
Kovah and his team found that five of the six PC vulnerabilities could affect Mac firmwares.
Vulnerability at the firmware
“It turns out almost all of the attacks we found on PCs are also applicable to Macs,” Kovah said. “Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip” to get remove the malware.
The attack happens at the BIOS level and is targeted at the computer’s firmware. When you power on your computer, the EFI firmware boots up and launches the operating system. Often times, the firmware is vulnerable because it’s not signed by the manufacturer, and sometimes there is nothing preventing users from loading illegitimate firmware files.
Because the firmware remains even if the machine is wiped or restored, the attack is persistent.
“What we also found is that there is really a high likelihood that the vulnerability will also affect Macbooks. Because Apple is using a similar EFI firmware,” said Kovah.
The researchers will demo their findings at the Black Hat and Def Con security conferences, and they note that the malware is tough to detect because malware detectors typically don’t look at the firmware.
Thunderstrike strikes again
To infect a Mac, researchers said that the firmware malware can be delivered as a phishing email or when users visit a malicious website.
Once infected, the firmware will examine the Mac for connected peripherals that contain Option ROM. This could include Thunderbolt accessories. Once these accessories are infected, they can spread to other Macs once plugged in.
Once the new computer boots up, the infected accessory will write the malware to the BIOS.
While this method of delivery is similar to malware delivered over USB ports, Thunderstrike 2 goes a step further by infecting the BIOS rather than the OS, making it difficult to detect and next to impossible to remove.
Recommendations
Researchers suggest that manufacturers, like Apple, sign their firmware with a digital signature and build in write protection so that only authorized firmware could be loaded.