Site icon Tapscape

Thunderstrike 2 Targets Mac Firmware, Seen in the Wild

thunderstrike-2-macbook

Are you running OS X 10.11 El Capitan Beta? At least for the moment, you don’t have to worry about Thunderstrike 2, a new and actually virulent bit o’ malware. Thunderstrike 2 infects peripheral device and Mac firmware, and can be spread via a range of mechanisms.

Wired and pretty much the entire tech press are reporting on Thunderstrike 2, an exploit that is actively being exploited in the wild.

There have been examples of firmware worms in the past—but they spread between things like home office routers and also involved infecting the Linux operating system on the routers. Thunderstrike 2, however, is designed to spread by infecting what’s known as the option ROM on peripheral devices.

While Thunderstrike 2 can be used to infect a Windows PC, which isn’t news per se, the headlines are all about the Mac. Moreover, current antivirus apps have no way of detecting let alone removing, if at all possible, Thunderstrike 2 from an affected computer or device.

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

Thunderstrike 2 can then spread via essentially any device equipped with option ROM, a type of firmware used in a huge variety of computer and consumer electronics hardware.

Again, as noted by Ars Technica and in the lede above, Apple’s currently in beta OS X 10.11 El Capitan doesn’t appear to be vulnerable. However, Apple’s current OS X 10.10.4 (Yosemite) and in beta OS X 10.10.5 both are Thunderstike 2 exploitable…

Well, it has finally happened. There is a Mac malware out there in the wild that be spread essentially at will and there isn’t, as of this writing, any way to detect or stop it…

Has Thunderstrike 2 changed your the way you think about Mac security?