While Apple generally puts a lot of effort into making sure that Macs remain virus-free and secure, a duo of researchers, Xeno Kovah and Trammell Hudson, have discovered that many PC firmware vulnerabilities also affect Macs, leaving Apple’s hardware open to attacks on the firmware that can survive OS X reinstallation and system wipes.
In fact, the researchers found that of the six vulnerabilities they tested on PCs from various manufacturers, all but one also affected Macs.
As noted above, firmware worms can survive on a system even after the computer has been fully erased and the operating system has been completely reinstalled. This is because, unlike OS X and viruses that attack on the software level, malicious software that infects a machine’s firmware are attached to specific hardware components.
Since computers can’t function without some sort of instructions telling the hardware what to do, machines rely on their firmware to tell them what to do in the event that there’s no operating system currently running. That could mean that the computer hasn’t fully booted up yet, or has been erased and has no software to run. The firmware is never erased and isn’t located on the hard drive, ensuring that the computer will always have instructions on how to run even without an operating system.
In the event that the firmware is updated, the existing version of the firmware has to guide the computer through the process of installing that update, meaning infected firmware could prevent an update from repairing the damage. That’s why firmware attacks are so tricky: they infect one of the most important parts of the computer, and have enough power to keep the system from fixing the problem.
These types of attacks can also be almost impossible to detect. Once they are detected, however, there’s little that can be done to get rid of them short of completely reflashing the affected firmware or buying a new computer.
Firmware attacks are possible because many computer manufacturers put few safeguards in place to prevent malicious updates or changes, leaving many computers vulnerable. According to Wired, Apple could have put protections in place to prevent at least one type of attack discovered by the research group, but apparently elected not to.
Once a Mac has been infected, it can spread the malicious firmware to additional machines through attached peripherals, spreading even to systems that are otherwise completely disconnected from other computers.
An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.
When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.
One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.
Ethernet adapters aren’t the only external devices that can be used to spread the infection. Kovah noted that many SSDs and storage devices have hardware that can be used to transfer the malware from one machine to another.
Since the discovery and disclosure of these attacks to Apple, the team says one has been fixed and another has been partially closed, although unfortunately the other three are still present in the current Mac firmware. The open vulnerabilities allowed the researchers to create a new version of the Thunderstrike vulnerability discovered late last year.
Details on the vulnerabilities will be discussed during the Black Hat conference later this week. The team says they plan to release tools at that time that allow users to check connected peripherals for infection, but unfortunately technical limitations prevent them from checking the machine itself for an issue.