Security researchers have unveiled a new attack on Apple's OS X systems which can spread via peripheral devices, infecting not only the PC but its accessories too.
In a video
published ahead of a BlackHat presentation
, researches Trammell Hudson, Xeno Kovah, and Corey Kallenberg demonstrated an attack dubbed Thunderstrike 2 which affects MacBook systems in an interesting vector: by inserting a malicious peripheral device, specifically a modified Ethernet adapter, into the machine's Thunderbolt port. In a discussion on the vulnerability with Wired
, the team's exploit can also be used with any other peripheral device which features an option ROM such as an external storage device or RAID controller.
While being infected by a peripheral device is bad enough, Wired explains that the worm - dubbed a 'firmworm' - is capable of spreading between other devices: when a system is infected, any peripheral device with a rewritable option ROM connected to that system will have the worm installed ready to infect further machines and peripherals. The worm is also capable of surviving a complete reinstall of the host operating system, hiding in the laptop's firmware away from the hard drive.
The team behind the attack have admitted that the specific mechanism showcased in the video won't work on a fully-patched OS X install, but claims that 'there are other Apple vulnerabilities which Apple has not patched, which could be used to do the same attack.
The Thunderstrike 2 vulnerability is based on Hudson's previous Thunderstrike
attack, which proved that Apple's extensible firmware interface (EFI) could allow the boot ROM to be overwritten with malicious code from either software or Thunderbolt-connected devices.
Apple has yet to publicly respond to the team's claims, which are to be presented this week at the BlackHat USA conference in Mandalay Bay, Las Vegas.