A new proof-of-concept discovery by security researchers brings an end to the old conventional wisdom that Apple computers are generally safer than PCs.
Security experts Trammell Hudson, Xeno Kovah and Corey Kallenberg, who will be attending the Black Hat USA convention later this week, developed a firmware-attacking Mac worm they named Thunderstrike 2. If it infects a machine, Thunderstrike is so hard to detect and so difficult to get rid of, it could make an infected machine unsalvageable, and only worthy of being tossed in the trash.
Kovah said that the attack is “really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware. For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip,” which is the only way to eliminate this particular malware.
How dire are the implications? As Wired pointed out, “It’s the kind of attack intelligence agencies like the NSA covet. In fact, documents released by Edward Snowden, and research conducted by Kaspersky Lab, have shown that the NSA has already developed sophisticated techniques for hacking firmware.”
The remote capabilities of the attack are what makes Thunderstrike 2 so much more dangerous than previous Mac worms; possible means of spreading the infection include malicious websites and phishing emails. As Kallenberg, Kovah, and Hudson explained in their written description of their upcoming Black Hat presentation, “Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform …. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable.”
If Thunderstrike 2 infects a machine, even wiping the hard drive and reinstalling the entire operating system won't fix the problem, because an OS reinstall won't wipe out a firmware infection. As with evermore new malware threats these days, your best (or even only) bet is to not catch the malware in the first place: never click on a link or download a file from a suspicious email or text message, and never visit a website after a search engine or your own antivirus protection warns you that site might damage your computer.