Firmware Worm Permanently Infects Macs in Seconds

It has been a common understanding that Apple devices are well-protected and less vulnerable.

It is also believed that Apple computers are difficult to hack because they have a higher level of protection as compared to the Windows operating systems.

But a recent study performed by a team of researchers proved it all wrong. They found a number of vulnerabilities using which they have created a worm that can infect Mac systems permanently. Furthermore, they also designed a worm that can multiply itself from one Mac to another without any networking.

Image VIA: ICD

Before their official presentation at Black Hat event, researchers demonstrated the working of a worm developed by them to show that both, Windows and Mac computers have identical vulnerabilities, which are easy to exploit if the hacker determines it.

The Firmware Worm Codenamed “Thunderstrike 2”

The firmware worm has been created by two security researchers Trammell Hudson, a Security Engineer at Two Sigma Investments and the person who first discovered the Thunderstrike vulnerability, and Xeno Kovah, owner of Firmware Security Consultancy firm LegbaCore.

For those of you who are not aware of “Thunderstrike,” it was discovered earlier this year with only a conceptual attacking that requires the attacker to have physical access to the target computer. On the other hand, Thunderstrike 2 is an actual worm that can target Mac based computers using the same vulnerabilities exploited by Thunderstrike 1, but can be deployed remotely.

Thunderstrike 2 has the capability to infect Mac computers at the firmware level, making it next to impossible to remove, leaving the user with the only possibility i.e. re-flash the infected chip.

“It’s really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware.” – Trammell Hudson

Xeno Kovah, one of the researchers who created the firmware worm said,

“ really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware. For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

The Vulnerability

The vulnerability is found in the core firmware of the computer system that is usually referred to as UEFI, EFI or BIOS. Firmware is the software that boot up a computer and operating system. It is easy to infect because most of the hardware manufacturers do not encrypt or officially sign the firmware. Furthermore, manufacturers do not include any security layer to authenticate if the firmware installed is genuine or not.

According to the researchers, firmware is the best place to hide malware because it operates at a higher level where no security product can detect it, resulting in a malware to remain undetectable.

Even if the user decides to completely wipe off the operating system and then reinstall it would have zero effect on the infected firmware because it remains untouched while maintaining a tireless hold onto the system.

The Six Known Firmware Vulnerabilities

Both of these researchers, in an attempt to find vulnerabilities, inspected a chain of firmware developed by various computer manufacturers including Samsung, Dell and HP. Even though all the hardware manufacturers have implemented a protection to certain degree, making it difficult to modify the firmware, but researchers were able to find vulnerabilities that allowed them to bypass the protection and flash the BIOS with malicious firmware.

MAC is secure, they said

To further empower their research and to inspect if Apple really provides a higher level of protection against this malware, researchers searched for the same vulnerabilities in the Apple computer’s firmware and they found the same vulnerabilities in Mac based computers’ firmware too.

Every hardware manufacturer uses the same firmware code that is why the found vulnerabilities are applicable to many Macs and Windows based computers.

Xeno Kovah said,

“It turns out almost all of the attacks we found on PCs are also applicable to Macs. Most of these firmwares are built from the same reference implementations, so when someone finds a bug in one that affects Lenovo laptops, there’s a really good chance it’s going to affect the Dells and HPs. What we also found is that there is really a high likelihood that the vulnerability will also affect Macbooks. Because Apple is using a similar EFI firmware.”


Researchers have planned to talk about their research while further demonstrating the vulnerabilities found in the Macs firmware that are also affecting Windows-based systems. Furthermore, they will highlight the consequences of the exploits and what the vulnerability is capable of.

Both researchers, Xeno Kovah and Tramell Hudson, will discuss Thunderstrike 2: Sith Strike at the Black Hat Security Conference that is scheduled for August 6th in Las Vegas.

Report typos and corrections to [email protected]


Related Posts