Known as Thunderstrike 2, the worm was developed by security experts Xeno Kovah and Corey Kallenberg to raise awareness about Apple's security flaws. They say the worm is capable of spreading from one Mac to another, even if the computers don't share a network.
"[The attack is] really hard to detect… it's really hard to get rid of," Kovah told Wired, explaining that the worm embeds itself in a computer's firmware, the software that comes pre-installed and loads the operating system. "It's really hard to protect against something that's running inside the firmware… for most users that's really a throw-your-machine-away kind of situation," he said.
The problem is that Thunderstrike 2 can't be removed with software or traditional anti-malware programs; cleaning a machine requires programming the computer's chip. "Most people and organizations don't have the wherewithal to physically open up their machine and electrically reprogram the chip," Kovah said
What makes Thunderstrike 2 so insidious is that it can spread between computers that aren't connected on the same network. To spread the worm, an attacker must first undermine the firmware on a Mac by sending malware through a phishing email or link. The malware could be programmed to infect the firmware — known as the Option ROM— of anything that's plugged into the computer, such as an Ethernet adapter. If that adapter were plugged into another computer, the malware would spread. When the second machine is turned on, the worm would spread to its firmware and become undetectable.
Kovah and Kallenberg say the implications of their discovery could have wide-ranging implications.
"Let's say you're running a uranium refining centrifuge plant and you don't have it connected to any networks, but people bring laptops into it and perhaps they share Ethernet adapters or external SSDs to bring data in and out," Kovah said. "Those SSDs have Option ROMs that could potentially carry this sort of infection. Perhaps because it's a secure environment they don't use Wi-Fi, so they have Ethernet adapters. Those adapters also have option ROMs that can carry this malicious firmware."
Kovah and Kallenberg say that the worm was developed to showcase vulnerabilities in Apple devices. They've notified Apple of their discovery, and the company has already fully patched one type of vulnerability and partially patched another, but three still remain unresolved.
This isn't the first time that Kovah and Kallenberg have revealed a gaping hole in computer security. Last year, they test a series of major PCs for a similar vulnerability and found that 80 percent — including brands like Dell, Lenovo, Samsung, and HP — were vulnerable to firmware worms.
"It turns out almost all of the attacks we found on PCs are also applicable to Macs," Kovah explained.
Kovah and Kallenberg plan to unveil their discovery in more detail on August 6 at the Black Hat security conference in Las Vegas. The goal is to push tech companies to take security more seriously.
"Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware," Kovah said.
"Most other vendors, including Apple as we are showing here, have not," he added. "We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security."
No comments:
Post a Comment