When companies claim their products are unhackable or invulnerable, it must be like waving a red flag in front of bulls as it practically dares security researchers to prove otherwise. Apple previously claimed that Macs were not vulnerable to the same firmware flaws that could backdoor PCs, so researchers proved they could remotely infect Macs with a firmware worm that is so tough to detect and to get rid of that they suggested it presents a toss your Mac in the trash situation.
Corey Kallenberg, Xeno Kovah and Trammell Hudson will present “Thunderstrike 2: Sith Strike” at Black Hat USA on August 6. “Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform,” they wrote in the description of their talk. “Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Macs are in fact vulnerable to many of the software-only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.”
The researchers previously used LightEater when they presented “How Many Million BIOSes Would you Like to Infect?” After they revealed that about 80 percent of PCs have firmware vulnerabilities, Apple claimed Macs did not. But Kovah said that’s not true; he told Wired, “It turns out almost all of the attacks we found on PCs are also applicable to Macs.” In fact, the researchers said five of the six vulnerabilities studied affect Mac firmware.
Firmware runs when you first boot a machine; it launches the operating system. For Apple computers, the firmware is called the extensible firmware interface (EFI). Most people believe Apple products are superior when it comes to security, but the researchers want to “make it clear that any time you hear about EFI firmware attacks, it’s pretty much all x86 [computers].” Attackers need only a few seconds to remotely infect Mac firmware. Macs infected with Thunderstrike 2 would remain infected even if a user were to wipe the hard drive and reinstall the OS, as that doesn’t fix a firmware infection.