Technoglitch
Core Member
An improved attack on the firmware in Apple computers makes them vulnerable to hard-to-detect malware without even being connected to a network, according to a Black Hat conference presentation due to be given later this week.
The new research highlights ongoing weaknesses in the low-level software that runs on every computer before an operating system is loaded.
In theory, firmware shouldn’t be able to be modified or rewritten. Malware that sits within firmware is particularly dangerous since security products don’t check the integrity of firmware, meaning users would have no idea it has been tampered with.
The Thunderstrike 2 attack uses a local root privilege exploit that loads a kernel module and gives it access to raw memory, according to a two-minute preview video posted by the researchers on YouTube.
In some cases, the attack code can immediately unlock and rewrite the boot flash firmware. In other instances it can take advantage of a problem when a computer is put into sleep mode and then resume running, a problem that has been explored by another researcher.
“Once installed in the boot flash, it is very difficult to remove since it controls the system from the very first instruction executed upon booting,” the video says. “This includes the keys for updating the firmware.”
Reinstalling the OS won’t remove the malware and neither will replacing the hard drive.
Apple computers vulnerable to 'Thunderstrike 2' firmware worm | PCWorld
The new research highlights ongoing weaknesses in the low-level software that runs on every computer before an operating system is loaded.
In theory, firmware shouldn’t be able to be modified or rewritten. Malware that sits within firmware is particularly dangerous since security products don’t check the integrity of firmware, meaning users would have no idea it has been tampered with.
The Thunderstrike 2 attack uses a local root privilege exploit that loads a kernel module and gives it access to raw memory, according to a two-minute preview video posted by the researchers on YouTube.
In some cases, the attack code can immediately unlock and rewrite the boot flash firmware. In other instances it can take advantage of a problem when a computer is put into sleep mode and then resume running, a problem that has been explored by another researcher.
“Once installed in the boot flash, it is very difficult to remove since it controls the system from the very first instruction executed upon booting,” the video says. “This includes the keys for updating the firmware.”
Reinstalling the OS won’t remove the malware and neither will replacing the hard drive.
Apple computers vulnerable to 'Thunderstrike 2' firmware worm | PCWorld
