First Firmware Worm Able to Infect Macs Created by Researchers

by

A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.


Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.

"People are unaware that these small cheap devices can actually infect their firmware," says Kovah. "You could get a worm started all around the world that's spreading very low and slow. If people don't have awareness that attacks can be happening at this level then they're going to have their guard down and an attack will be able to completely subvert their system."

Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.

"Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware," Kovah notes. "Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security."

Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

Popular Stories

ios 18 4 carplay

Apple Upgrades CarPlay in Two Ways

Wednesday March 12, 2025 6:05 am PDT by
The upcoming iOS 18.4 update for the iPhone includes a smaller but meaningful improvement for Apple's in-car iPhone mirroring system CarPlay. Specifically, CarPlay now shows a third row of icons, up from two rows previously. However, this change is only visible in vehicles with a larger center display. For example, a MacRumors Forums member noticed the change in a Toyota Tundra with a...
Read Full Article55 comments
Apple More Personal Siri Ad

John Gruber Says 'Something is Rotten' at Apple

Wednesday March 12, 2025 7:39 pm PDT by
Daring Fireball's John Gruber today shared some strongly-worded comments about Apple's delayed personalized Siri features. Gruber is a well-known Apple pundit who has been writing about the company for more than two decades. In a blog post titled "Something Is Rotten in the State of Cupertino," Gruber said Apple's credibility has been "damaged" by the delay:Keynote by keynote, product by...
Read Full Article609 comments
airpods pro 2 gradient

AirPods Pro 3 Launch Now Just Months Away: Here's What We Know

Tuesday March 11, 2025 3:26 am PDT by
Despite being released over two years ago, Apple's AirPods Pro 2 continue to dominate the wireless earbud market. However, with the AirPods Pro 3 expected to launch in 2025, anyone thinking of buying Apple's premium earbuds may be wondering if the next generation is worth holding out for. Apart from their audio and noise-canceling performance, which are generally regarded as excellent for...
Read Full Article47 comments
iphone 17 pro asherdipps

iPhone 17 Pro Max Rumors Allegedly Refer to 'iPhone 17 Ultra' Model

Friday March 14, 2025 7:56 am PDT by
If you've been following iPhone rumors over the last few years, you may remember reading reports that Apple flirted with the idea of introducing a super high-end "Ultra" model that would either replace its Pro Max device or sit above it in Apple's smartphone hirearchy. These reports appeared in the pre-launch iPhone 15 and iPhone 16 rumor cycles, but ultimately came to nothing. Now though, the...
Read Full Article143 comments
Apple Maps vs Google Maps Feature

iOS 18.4 Adds a Highly-Requested Setting to iPhones — But Not in U.S.

Wednesday March 12, 2025 1:05 pm PDT by
iPhones are finally getting a much-requested setting, but availability is limited. The upcoming iOS 18.4 update introduces an option to set a default navigation app, other than Apple Maps, but unfortunately this new setting is limited to users in the EU. There, you can now set an app like Google Maps or Waze as your default navigation app on the iPhone by opening the Settings app and tapping ...
Read Full Article118 comments
iPhone 17 Pro Render Front Page Tech

iPhone 17 Pro Machined Parts Leak Reflects Camera Redesign Rumors

Thursday March 13, 2025 3:07 am PDT by
Apple's upcoming iPhone 17 Pro models are expected to feature a significant design overhaul, and a new image apparently taken on an assembly line for the unreleased devices appears to confirm the biggest rumored change. Render of an iPhone 17 Pro model shared by Jon Prosser The iPhone 17 Pro and iPhone 17 Pro Max are rumored to adopt a horizontal camera bar reminiscent of Google's Pixel...
Read Full Article87 comments
Generic iOS 19 Feature Mock Light

iOS 19 Will Bring Biggest Design Overhaul Since iOS 7

Monday March 10, 2025 12:17 pm PDT by
Apple is planning for a major design overhaul of the iPhone, iPad, and Mac interfaces with the introduction of iOS 19, iPadOS 19, and macOS 16 later this year, reports Bloomberg. The update will "fundamentally change" the look of Apple's operating system, introducing a more consistent cross-platform experience. Apple plans to update the style of icons, menus, apps, windows, and system...
Read Full Article260 comments
Sad Siri Feature

Kuo: Apple Knows Apple Intelligence is 'Underwhelming' and Won't Drive iPhone Upgrades

Thursday March 13, 2025 9:32 am PDT by
The Apple Intelligence features that Apple introduced with iOS 18 are not pushing people to upgrade their iPhones, Apple analyst Ming-Chi Kuo reiterated today. Apple's recent Siri failures are also going to have an impact on 2025 iPhone shipments, which the market is beginning to realize. As early as last July, Kuo said expectations that Apple Intelligence could drive iPhone upgrades were...
Read Full Article291 comments
Sad Siri Feature

Kuo: Cook Should Personally Address Siri Apple Intelligence Failure

Thursday March 13, 2025 4:02 pm PDT by
Apple made a major misstep with the way that it handled the delay of Apple Intelligence features for Siri, Apple analyst Ming-Chi Kuo said today. Announcing the delay through a press statement was a bad decision, and Apple should instead have gone through official channels. Kuo referenced the well-known "Antennagate" PR crisis when the iPhone 4 launched in 2010, and the way that then Apple...
Read Full Article431 comments

Top Rated Comments

macduke Avatar
macduke
126 months ago
Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
Score: 17 Votes (Like | Disagree)
joshuaclinton Avatar
joshuaclinton
126 months ago
Skynet is becoming self-aware.
Score: 11 Votes (Like | Disagree)
MacDawg Avatar
MacDawg
126 months ago
This is dated 2001, is it something new?
What do you mean dated 2001?
If you are looking to the left under the user avatar that is the join date
Score: 11 Votes (Like | Disagree)
JimmyHook Avatar
JimmyHook
126 months ago
Assuming the user is stupid (a good percentage of people) and just keys the password in anyway renders your ideas useless.

Apple needs to do security better across OS X & iOS and quickly. That means plugging holes faster and stop being so damn lazy and treating security as a low priority.
Their security is waaaaaaaay ahead of Android and Windows. What did I read the other day? 950 MILLION android devices open to remote hacking? By a video that you don't even need to watch? That's crazy
Score: 8 Votes (Like | Disagree)
spherox Avatar
spherox
126 months ago
Ok, now this is kind of scary. Hardware replacement won't fix it? Neither will re-installing OS X? Infection could be stored in external devices such as Apples own thunderbolt adapter? *turns off Mac*
Score: 8 Votes (Like | Disagree)
Frign Avatar
Frign
126 months ago
The question is: Why does this guy wear nail varnish?
Score: 7 Votes (Like | Disagree)
Read All Comments