Thunderstrike MacBook malware attacks computers via Thunderbolt port
The Thunderstrike malware goes undetected in the system and sits inside the ROM
MacBook users are being warned about a new piece of malware dubbed Thunderstrike that can infect their devices using the Thunderbolt port.
US-based online security expert Trammell Hudson revealed the security hole at the Chaos Computer Congress (CCC) in Germany.
The rootkit malware can be loaded and installed onto the computer using Thunderbolt-enabled devices, writing custom code to a MacBook's boot ROM. It can also easily be transferred between machines using the port.
Hudson explained how sitting inside the computer's ROM, rather than the hard drive, means it can go undetected, allowing hackers access to a computer's confidential files without the user knowing.
He said: "For an attacker with sufficient Option ROM space, the job is done: put your payload in the device's ROM, pass a pointer to it to process firmware volume and it will be flashed for you.
"Option ROMs can circumvent flash security by triggering recovery mode boots with signed firmware and causing the untrusted code to be written to the ROM. And the attacker now controls the signing keys on future firmware updates, preventing any software attempts to remove them."
Although previous research into how malware can be used on Macs demonstrates the computer is more likely to be rendered useless when the ROM is rewritten using software, Hudson discovered this isn't the case with Thunderstrike. It could allow hackers to embed new codes to make it behave differently.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.
Apple is reportedly issuing a partial fix for the security hole, which will be rolled out as a firmware update.
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.