In case you missed it during the busy holiday rush over the past few weeks, a computer security expert has discovered a vulnerability in the Mac’s much vaunted Thunderbolt port that is causing some concern amongst Apple fans. This major security flaw has been dubbed “Thunderstrike” and it could be used used to launch an attack on a Mac’s boot ROM, which has the potential to render the computer completely useless. Worse yet, the installed malware could potentially spread across a network to other Macintosh computers as well, infecting them with malicious malware. The revelation of Thunderstrike isn’t as dire as some would have you believe however, although it is important to understand the threat none the less. Here are 5 things you need to know about this Mac security vulnerability.
Proof of Concept
As of now, Thunderstrike is simply a proof of concept, and isn’t infecting any computers. It was conceived and created by tech security specialist Trammell Hudson, who unveiled it at a computer security conference in Germany a few weeks back. Hudson used an already-known vulnerability in Thunderbolt to demonstrate how the high-speed port could be exploited to install a custom bootkit on a computer that could then be used for any number of nefarious purposes. This new firmware could also spread to other computers via shared Thunderbolt devices or over a network. Fortunately, Hudson says that there are no known firmware bootkits in the wild, and that his creation was meant to simply show what is possible if hackers were to use this type of attack to infect computers.
Nearly Impossible to Remove
If infected, it is nearly impossible to rid your system of a Thunderstrike virus. Since it installs itself into the ROM chip that controls the Thunderbolt port, it actually exists in an space that is independent of both the operating system and the hard drive. Reinstalling OS X does not remove the malware, nor does physically removing the hard drive and replacing with another. Instead, the infected firmware needs to be overwritten with the proper firmware by a device designed to specifically update that code. Since very few Mac owners would have access to such a device, it would require a hardware specialist to fix the problem.
Thunderstrike Can Circumvent Passwords
Obviously passwords are always recommended to help keep your system as safe as possible, but very few of us actually access the firmware on our computers and activate a password protection scheme on that level. It doesn’t matter if you do however, as Thunderstrike actually activates itself in the boot ROM prior to any password protection taking place. This allows it to circumvent those passwords, delete them altogether, or replace it with an entirely new one. Additionally, the malware can keep track of any passwords that are used on the computer, including for FileVault. This has the potential of even exposing encrypted files. In other words, it doesn’t really matter how sophisticated your passwords are, or where you use them.
Requires Physical Access
Once installed, Thunderstrike can do a lot of damage, possibly locking users out of their computers, preventing future security updates, or even collecting valuable data about them. But the good news is that the proof of concept malware that Hudson demonstrated still requires physical access to a computer to launch the initial process. That means someone needs to actually physically install it on your Mac for it to take effect. Apparently it takes several minutes for the installation process to occur, which means someone would need a sizable amount of time alone with your Mac in order to install it. So even if Thunderstrike did exist in the wild, at this time you wouldn’t be able to become infected simply by visiting a website or installing a piece of unsigned software. As scary as the implications for this security flaw are, it seems very unlikely that we’ll see very many people actually contract the virus on their computer.
Apple is Working on a Fix
As mentioned above, this is an exploit that has existed in Thunderbolt for more than two years, and Apple has already partially fixed the problem on newer computers with an updated firmware release. Additionally, the company is looking at Hudson’s findings to discover a way to close off access altogether, ensuring that Thunderstrike never becomes an issue. Since this malware isn’t spreading across the Internet, chances are it will be patched before anyone can truly find a way to exploit it on a wider scale.
It should be noted that this security flaw also only impacts Macs that have a Thunderbolt port. Obviously older Macs have nothing to fear from this vulnerability, and neither do Windows PC’s with Thunderbolt ports either. Those computers are running an updated version of the Thunderbolt firmware that prevents this type of attack from ever occurring at all.