For many of us Mac users, the fact that there aren't a whole lot of viruses and malware out there that can mess with our browsers and operating systems is one of the brand's biggest draw-cards. For some, it will be the deciding factor when figuring out whether to go the Mac or PC route.
But it's time to dial back the smugness for a minute, because a couple of researchers in the US have designed a firmware worm that can infiltrate your MacBook, undetected, and then spread from MacBook to MacBook to MacBook, even if those MacBooks aren't connected to a network.
How does this work? As Kim Zetter explains at Wired, the so-called Thunderstrike 2 worm can be delivered to your computer via a phishing email, a USB device, even an ethernet adaptor, and once in your system, it will hide out in its Option ROM. Also known as the BIOS, this is the computer's core firmware, which is involved in booting your computer up and launching its operating system.
If your computer isn't connected to a network but your peripherals are, it will hide out in the Option ROM of your peripherals for easy spreading. Got a work computer that's completely unconnected from the Internet for security purposes? All someone needs to do is innocently plug an infected Ethernet adapter or external SSD in to transport some data, and off the worm goes into your machine.
Once it has infected your machine, it will not only allow someone to remotely access it whenever they want, but will remain there regardless of how good your security software is (if you even have something like that on your Mac right now). And it will do this regardless of how many firmware and operating system updates you throw at it.
"Firmware updates require the assistance of a machine's existing firmware to install, so any malware in the firmware could block new updates from being installed or simply write itself to a new update as it's installed," says Zetter.
This thing is so malignant, the only way to rid your infected machine of it is to re-flash whatever chip it's hiding on. And if you think that sounds like a huge, colossal pain in the butt, congratulations, you are correct.
"[The attack is] really hard to detect, it's really hard to get rid of, and it's really hard to protect against something that's running inside the firmware," Xeno Kovah, one of the researchers behind Thunderstrike 2 and the owner of firmware security consultancy LegbaCore, told Wired. "For most users that's really a throw-your-machine-away kind of situation. Most people and organisations don't have the wherewithal to physically open up their machine and electrically reprogram the chip."
The Thunderstrike 2 worm was developed as a proof of concept by Kovah and Trammell Hudson, a security engineer with tech company, Two Sigma Investments, to highlight the rather large holes in Apple's 'walled garden'. They'll be discussing their findings this week at the Black Hat security conference in Las Vegas.
But don't throw your beloved MacBook in the trash just yet, Adam Clark Estes says at Gizmodo: "Apple acknowledged Thunderstrike over six months ago and addressed the vulnerabilities, so there's much hope that it will patch the new vulnerabilities that Thunderstrike 2 targets, too."
Not that Apple computers are the only vendor in town when it comes to firmware exploits, the researchers identified serious vulnerabilities in 80 percent of PCs they examined, including Dell, Lenovo, Samsung, and HP machines. One thing's for sure, BIOS hacking won't just be for the NSA for much longer. Head over to Kim Zetter's article at Wired to get the full rundown.