acm-header
Sign In

Communications of the ACM

ACM TechNews

Researchers Create First Firmware Worm That Attacks Macs


View as: Print Mobile App Share:
A new MacBook

Having discovered that Mac computers can be affected by known firmware bugs, researchers created a proof-of-concept worm to enable proliferation of a Mac firmware attack without networking.

Credit: Josh Valcarcel/Wired

Researchers have discovered Mac computers can be affected by known firmware bugs, and they created a proof-of-concept worm to enable automatic proliferation of a Mac firmware attack without networking.

"[The attack is] really hard to detect, it's really hard to get rid of, and it's really hard to protect against something that's running inside the firmware," says worm co-developer Xeno Kovah.

Firmware is susceptible to malware infection because most hardware manufacturers do not cryptographically sign the firmware embedded in their systems, or their firmware updates, and fail to include any authentication functions that would only permit installation of legitimate signed firmware.

Kovah uncovered firmware defects last year that affected 80 percent of the PCs he examined, and with security engineer Trammell Hudson found five of the six bugs affected Mac firmware. Three of the bugs remain unpatched, which Kovah and Hudson exploited to build and implement the Thunderstrike 2 worm, which spreads by infiltrating the option ROM on peripheral devices. Booting another machine with the worm-bearing peripheral causes the machine firmware to load the option ROM from the infected device, and the worm writes its malware to the boot flash firmware on the machine.

Kovah and Hudson say air-gapped systems lacking network connections would be particularly vulnerable to this type of attack.

From Wired
View Full Article

 

Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account