{"id":44839,"date":"2015-08-04T08:29:10","date_gmt":"2015-08-04T15:29:10","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=44839"},"modified":"2015-09-04T12:25:25","modified_gmt":"2015-09-04T19:25:25","slug":"thunderstrike-2-firmware-worm-proves-apple-needs-a-bug-bounty","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/thunderstrike-2-firmware-worm-proves-apple-needs-a-bug-bounty\/","title":{"rendered":"Thunderstrike 2 Firmware Worm Proves Apple Needs a Bug Bounty"},"content":{"rendered":"

\"Thunderstrike<\/p>\n

What’s that? Lightning never strikes in the same place twice?<\/p>\n

Well, sometimes it does \u2014\u00a0and this time it’s just become much more dangerous.<\/p>\n

Earlier this year, we described how Apple had patched a serious security hole in OS X called “Thunderstrike.”<\/a><\/p>\n

What made Thunderstrike so nasty was that it could install malware onto your computer’s firmware \u2014\u00a0specifically the ROM EFI boot chip \u2014 and once in place could turn itself “invisible,” making it impossible to detect through anti-virus software, because of the extremely low level it was running at.<\/p>\n

Once in place, malware could spy on you or steal information \u2014\u00a0and it was even capable of fending off removal attempts using firmware-flashing software.<\/p>\n

The only silver lining on Thunderstrike’s cloud was that an attacker needed to infect your Mac, by plugging a boobytrapped Thunderbolt device into your Mac or Macbook\u00a0\u2014 without physical access, the attacker wouldn’t be able to infect you.<\/p>\n

Well, that was then and this is now.<\/p>\n

With the newly unveiled Thunderstrike 2, things have taken a dramatic turn.<\/p>\n

Trammell Hudson, the researcher who first revealed details of the original Thunderstrike, has teamed up with Xeno Kovah, to reveal a way in which a Mac’s firmware can be infected without physical access, from anywhere on the planet.<\/p>\n

As Wired<\/em> reports<\/a>, researchers have even developed a proof-of-concept worm that allows the firmware attack to spread automatically between Macbooks, even if they are not networked to each other.<\/p>\n

The attack raises the stakes considerably for system defenders since it would allow someone to remotely target machines\u2014including air-gapped ones\u2014in a way that wouldn\u2019t be detected by security scanners and would give an attacker a persistent foothold on a system even through firmware and operating system updates.<\/p><\/blockquote>\n

You can see the Thunderstrike 2 firmworm in action in the following YouTube video<\/a>:<\/p>\n