For years, Mac users have been safe in the knowledge that their platform was relatively safe from malware. A combination of the lower number of users on the platform, less attention from security researchers and, in general, fewer security holes in the operating system than Windows has led to a history generally free of damaging viruses and malware. So proud has <a class=" u-underline" Apple been of its security that it even ran several spots in its Mac vs PC ad campaign dedicated to the idea that Macs don’t get viruses.
However, that myth is set to be shattered by security researchers Trammel Hudson and Xeno Kovah, who have developed the first-of-its-kind malware that can infect a Mac’s firmware—Thunderstrike 2. For Kovah, co-founder of security training firm LegbaCore and Hudson and a security engineer at investment management firm Two Sigma Investments, this proof-of-concept worm exposes the potential security flaw on Apple’s computing devices.
They will present this research at the Black Hat and Def Con security conferences in Las Vegas later this week. During the demo of the malware to Wired, Hudson says, “It’s really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware.”
A computer’s primary firmware—also referred to as BIOS, UEFI or EFI—is the piece of software that boots all the installed components and launches its operating system. With the malware, this critical software can be infected.
And this is perhaps the perfect place to hide a malware, because antivirus and other security products do not have the capability or permission to scan this firmware. It starts working as soon as the computer is switched on, and starts collecting potentially sensitive data—website logins, passwords, banking details and even log keystrokes.
There are multiple ways of infecting a Mac with a malware that would work the same way as Thunderstrike 2—through email attachments, infected downloads, fake websites or even on a network through the Wi-Fi router. And it is extremely easy for it to be spread to more computers. The malware then searches for any external devices connected to the infected computer, such as a portable storage drive. The worm proceeds to infect the firmware installed on those peripherals too, and will spread to any other computer they are connected to.
As a user, you cannot really identify if the firmware has been infected or altered in any way, because the computer will continue to boot normally. Even if you suspect something is wrong and reinstall the operating system afresh, the malware still remains untouched because the firmware does not get wiped and reinstalled. This is perhaps a situation where most users would only end up throwing away that particular computer.
Last year, Kovah and his partner at LegbaCore, Corey Kallenberg, had identified multiple firmware vulnerabilities that affected Windows-based PCs, including ones from Dell, Lenovo, Samsung and HP. While PC makers do install some level of security to prevent unauthorized alteration of the BIOS, they are still not completely fool-proof.