First Firmware Worm Able to Infect Macs Created by Researchers

by

A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.


Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.

"People are unaware that these small cheap devices can actually infect their firmware," says Kovah. "You could get a worm started all around the world that's spreading very low and slow. If people don't have awareness that attacks can be happening at this level then they're going to have their guard down and an attack will be able to completely subvert their system."

Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.

"Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware," Kovah notes. "Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security."

Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

Popular Stories

iOS 26

15 New Things Your iPhone Can Do in iOS 26.2

Friday December 5, 2025 9:40 am PST by
Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below. Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the ...
Read Full Article26 comments
ios 18 to ios 26 upgrade

Apple Pushes iPhone Users Still on iOS 18 to Upgrade to iOS 26

Tuesday December 2, 2025 11:09 am PST by
Apple is encouraging iPhone users who are still running iOS 18 to upgrade to iOS 26 by making the iOS 26 software upgrade option more prominent. Since iOS 26 launched in September, it has been displayed as an optional upgrade at the bottom of the Software Update interface in the Settings app. iOS 18 has been the default operating system option, and users running iOS 18 have seen iOS 18...
Read Full Article274 comments
iOS 26

Apple Seeds iOS 26.2 and iPadOS 26.2 Release Candidates to Developers and Public Beta Testers

Wednesday December 3, 2025 10:33 am PST by
Apple today seeded the release candidate versions of upcoming iOS 26.2 and iPadOS 26.2 updates to developers and public beta testers, with the software coming two weeks after Apple seeded the third betas. The release candidates represent the final versions of iOS 26.2 and iPadOS 26.2 that will be provided to the public if no further bugs are found during this final week of testing....
Read Full Article39 comments
Photos App Icon Liquid Glass

John Gruber Shares Scathing Commentary About Apple's Departing Software Design Chief

Thursday December 4, 2025 9:30 am PST by
In a statement shared with Bloomberg on Wednesday, Apple confirmed that its software design chief Alan Dye will be leaving. Apple said Dye will be succeeded by Stephen Lemay, who has been a software designer at the company since 1999. Meta CEO Mark Zuckerberg announced that Dye will lead a new creative studio within the company's AR/VR division Reality Labs. On his blog Daring Fireball,...
Read Full Article295 comments
iOS 26

When Will Apple Release iOS 26.2?

Monday December 1, 2025 4:37 pm PST by
We're getting closer to the launch of the final major iOS update of the year, with Apple set to release iOS 26.2 in December. We've had three betas so far and are expecting a fourth beta or a release candidate this week, so a launch could follow as soon as next week. Past Launch Dates Apple's past iOS x.2 updates from the last few years have all happened right around the middle of the...
Read Full Article27 comments
maxresdefault

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Monday December 1, 2025 3:00 am PST by
Apple is expected to launch a new foldable iPhone next year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that 2026 could indeed be the year that Apple releases its first foldable device. Subscribe to the MacRumors YouTube channel for more videos. Below, we've collated an updated set of key details that ...
Read Full Article52 comments
iphone air camera

iPhone Air's Resale Value Has Dropped Dramatically, Data Shows

Thursday December 4, 2025 5:27 am PST by
The iPhone Air has recorded the steepest early resale value drop of any iPhone model in years, with new data showing that several configurations have lost almost 50% of their value within ten weeks of launch. According to a ten-week analysis published by SellCell, Apple's latest lineup is showing a pronounced split in resale performance between the iPhone 17 models and the iPhone Air....
Read Full Article209 comments
ive and altman

Jony Ive's OpenAI Device Barred From Using 'io' Name

Friday December 5, 2025 6:22 am PST by
A U.S. appeals court has upheld a temporary restraining order that prevents OpenAI and Jony Ive's new hardware venture from using the name "io" for products similar to those planned by AI audio startup iyO, Bloomberg Law reports. iyO sued OpenAI earlier this year after the latter announced its partnership with Ive's new firm, arguing that OpenAI's planned "io" branding was too close to its...
Read Full Article43 comments
iPhone 17 Pro Cosmic Orange

iPhone 17 Pro Lost a Camera Feature Pro Models Have Had Since 2020

Thursday December 4, 2025 5:18 am PST by
iPhone 17 Pro models, it turns out, can't take photos in Night mode when Portrait mode is selected in the Camera app – a capability that's been available on Apple's Pro devices since the iPhone 12 Pro in 2020. If you're an iPhone 17 Pro or iPhone 17 Pro Max owner, try it for yourself: Open the Camera app with Photo selected in the carousel, then cover the rear lenses with your hand to...
Read Full Article50 comments
Intel Inside iPhone Feature

Apple's Return to Intel Rumored to Extend to iPhone

Friday December 5, 2025 10:08 am PST by
Intel is expected to begin supplying some Mac and iPad chips in a few years, and the latest rumor claims the partnership might extend to the iPhone. In a research note with investment firm GF Securities this week, obtained by MacRumors, analyst Jeff Pu said he and his colleagues "now expect" Intel to reach a supply deal with Apple for at least some non-pro iPhone chips starting in 2028....
Read Full Article84 comments

Top Rated Comments

macduke Avatar
macduke
135 months ago
Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
Score: 17 Votes (Like | Disagree)
joshuaclinton Avatar
joshuaclinton
135 months ago
Skynet is becoming self-aware.
Score: 11 Votes (Like | Disagree)
MacDawg Avatar
MacDawg
135 months ago
This is dated 2001, is it something new?
What do you mean dated 2001?
If you are looking to the left under the user avatar that is the join date
Score: 11 Votes (Like | Disagree)
JimmyHook Avatar
JimmyHook
135 months ago
Assuming the user is stupid (a good percentage of people) and just keys the password in anyway renders your ideas useless.

Apple needs to do security better across OS X & iOS and quickly. That means plugging holes faster and stop being so damn lazy and treating security as a low priority.
Their security is waaaaaaaay ahead of Android and Windows. What did I read the other day? 950 MILLION android devices open to remote hacking? By a video that you don't even need to watch? That's crazy
Score: 8 Votes (Like | Disagree)
spherox Avatar
spherox
135 months ago
Ok, now this is kind of scary. Hardware replacement won't fix it? Neither will re-installing OS X? Infection could be stored in external devices such as Apples own thunderbolt adapter? *turns off Mac*
Score: 8 Votes (Like | Disagree)
Frign Avatar
Frign
135 months ago
The question is: Why does this guy wear nail varnish?
Score: 7 Votes (Like | Disagree)
Read All Comments