First Firmware Worm Able to Infect Macs Created by Researchers

A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.


Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.

"People are unaware that these small cheap devices can actually infect their firmware," says Kovah. "You could get a worm started all around the world that's spreading very low and slow. If people don't have awareness that attacks can be happening at this level then they're going to have their guard down and an attack will be able to completely subvert their system."

Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.

"Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware," Kovah notes. "Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security."

Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

Top Rated Comments

macduke Avatar
96 months ago
Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
Score: 17 Votes (Like | Disagree)
joshuaclinton Avatar
96 months ago
Skynet is becoming self-aware.
Score: 11 Votes (Like | Disagree)
MacDawg Avatar
96 months ago
This is dated 2001, is it something new?
What do you mean dated 2001?
If you are looking to the left under the user avatar that is the join date
Score: 11 Votes (Like | Disagree)
JimmyHook Avatar
96 months ago
Assuming the user is stupid (a good percentage of people) and just keys the password in anyway renders your ideas useless.

Apple needs to do security better across OS X & iOS and quickly. That means plugging holes faster and stop being so damn lazy and treating security as a low priority.
Their security is waaaaaaaay ahead of Android and Windows. What did I read the other day? 950 MILLION android devices open to remote hacking? By a video that you don't even need to watch? That's crazy
Score: 8 Votes (Like | Disagree)
spherox Avatar
96 months ago
Ok, now this is kind of scary. Hardware replacement won't fix it? Neither will re-installing OS X? Infection could be stored in external devices such as Apples own thunderbolt adapter? *turns off Mac*
Score: 8 Votes (Like | Disagree)
Frign Avatar
96 months ago
The question is: Why does this guy wear nail varnish?
Score: 7 Votes (Like | Disagree)

Popular Stories

General Black Friday Deals 2022 Green

All the Apple Black Friday Deals You Can Still Get

Friday November 25, 2022 4:40 am PST by
Although Black Friday is now technically over, many Apple products are still seeing major discounts through the weekend as we head into Cyber Monday. In this article, you'll find every Apple device with a notable Black Friday sale that's still available. We'll be updating as prices change and new deals arrive, so be sure to keep an eye out if you don't see the sale you're looking for yet. Note:...
iphone 14 pro hands snowflakes 1

Best Cyber Monday iPhone Deals Available Today

Wednesday November 23, 2022 1:55 pm PST by
Cellular carriers have always offered big savings on the newest iPhone models during the holidays, and Cyber Monday is no different. We're tracking notable offers on the iPhone 14 and iPhone 14 Pro devices from AT&T, Verizon, and T-Mobile. For even more savings, keep an eye on older models like the iPhone 13. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
maxresdefault

Nothing Phone 1 Displays AirPods Battery Level After Latest OS Update

Friday November 25, 2022 3:33 am PST by
Nothing Phone 1 users today began receiving the Nothing OS 1.1.7 update, which adds support for displaying the battery percentage of connected AirPods, amongst other improvements and bug fixes. If you own a Nothing Phone 1, you can check for the OTA update by going to Settings -> System -> System updates. Bear in mind that as support for displaying AirPods battery level is still an...
ipad holiday bulbs

Best Cyber Monday iPad Deals Available Today

Thursday November 24, 2022 12:25 pm PST by
Cyber Monday deals have been in full swing since Black Friday deals ended, and we're seeing solid discounts on Apple devices. We're highlighting the best sales for all of Apple's product lines, and in this article you'll find the best Cyber Monday sales on iPad, iPad Pro, iPad Air, and iPad mini. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make ...
airpods pro 2

Apple Engineer Addresses Lack of Lossless Support on New AirPods Pro

Friday November 25, 2022 2:58 am PST by
An Apple engineer has addressed the lack of lossless audio support in the second-generation AirPods Pro in a new interview. Current Bluetooth technology in the AirPods lineup means that Apple's audio products do not support Apple Music Lossless audio. Apple has previously hinted that it may develop its own codec and connectivity standard that builds on AirPlay and supports higher quality...
Cyber Monday Deals Feature 2022

Best Cyber Monday Apple Deals Still Available for AirPods, Apple TV, iPad, and More

Monday November 28, 2022 5:24 am PST by
The Black Friday and Cyber Monday holiday shopping rush is drawing to a close, but there are still some good deals to be had out there. For Apple products, many of the deals you've seen since last week are still available, though some have expired. So for anyone who missed out on Black Friday deals, there's still an opportunity to get some of the year's best prices on many Apple devices. Note: ...
Apple Watch Ultra Oceanic Plus App

Apple Announces Oceanic+ App Now Available for Apple Watch Ultra

Monday November 28, 2022 6:11 am PST by
Apple today announced that the Oceanic+ app is available for the Apple Watch Ultra starting today. Designed by Huish Outdoors in collaboration with Apple, the app serves as a dive computer for recreational scuba diving at depths up to 40 meters/130 feet. Apple already offers a basic Depth app on the Apple Watch Ultra for viewing your current depth, maximum depth reached, water temperature,...
Three Biggest iPhone SE 4 Questions Feature

Three Biggest Questions About the iPhone SE 4

Saturday November 26, 2022 12:00 am PST by
While we already have some clear indications about what to expect from the fourth-generation iPhone SE, there are three major questions looming over the device at the current time. Chinese site MyDrivers and and leaker Jon Prosser believe that the iPhone SE is set to move to an iPhone XR-like design in its next incarnation, which would involve eliminating the Home button and adding a "notch" ...