Proof-of-concept firmware worm targets Apple computers

It's like Bad USB, with extra Thunderbolt badness: Web-based attacks can insert undetectable malicious software into a Mac's UEFI/BIOS, which spreads to other machines by infecting Thunderbolt and USB devices.

The worm will be presented this week at Black Hat by the good folks from Kovah from Legbacore, who previously demo'ed attacks on the firmware of PCs. Legbacore delivered a list of five firmware bugs to Apple, who managed to patch two of them (one of which is only partially patched). At least one of the remaining vulnerabilities could be easily fixed, but Apple hasn't done anything about it yet.

Apple products have a reputation for being more secure than PCs. It's true that there's less of this sort of shenanigans in the wild for Apple devices, but there's nothing intrinsic about the platform that prevents it.

Thunderstrike 2, however, is designed to spread by infecting what's known as the option ROM on peripheral devices.

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.

One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.

Researchers Create First Firmware Worm That Attacks Macs [Kim Zetter/Wired]