Thunderstrike

Back in November of 2015, Apple quietly acquired security consultancy firm LegbaCore it has recently been discovered. The acquisition was initially revealed back in December by security researcher Trammell Hudson during a presentation at the 32C3 conference. The acquisition was further corroborated by a series of tweets from founder Xeno Kovah (seen below) and the company’s website, which states that it is “not accepting any new customer engagements.”

Expand
Expanding
Close

While Apple generally puts a lot of effort into making sure that Macs remain virus-free and secure, a duo of researchers, Xeno Kovah and Trammell Hudson, have discovered that many PC firmware vulnerabilities also affect Macs, leaving Apple’s hardware open to attacks on the firmware that can survive OS X reinstallation and system wipes.

In fact, the researchers found that of the six vulnerabilities they tested on PCs from various manufacturers, all but one also affected Macs.

Expand
Expanding
Close

A security researcher speaking at the Chaos Computer Congress in Hamburg demonstrated a hack that rewrites an Intel Mac’s firmware using a Thunderbolt device with attack code in an option ROM. Known as Thunderstrike, the proof of concept presented by Trammel Hudson infects the Apple Extensible Firmware Interface (EFI) in a way he claims cannot be detected, nor removed by reinstalling OS X.

Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

Apple has already implemented an intended fix in the latest Mac mini and iMac with Retina display, which Hudson says will soon be available for other Macs, but appears at this stage to provide only partial protection… 
Expand
Expanding
Close