A security researcher has discovered a way to infect Macs with malware virtually undetectable and that 'can't be removed.' The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.
Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks.
After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system's Thunderbolt port.
"It turns out that the Thunderbolt port gives us a way to get code running when the system boots," Wrote Hudson. "Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run."
Hudson discovered that he could use a modified Apple gigabit Ethernet Thunderbolt adapter to carry out the attack.
"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.
And once it is on your system, it is incredibly hard to remove.
"It can't be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won't remove it. Replacing the SSD won't remove it since there is nothing stored on the drive."
Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.
Macs Vulnerable To Virus - not Removable
