Thunderstrike is a new security exploit found recently on Mac computers by a Security Researcher Trammel Hudson from Chaos Communications Congress, Germany. Thunderstrike vulnerability allows hackers to infect Thunderbolt Port available older and latest macbook, imac, mac mini computers with a malware. It appears like there is a flaw in thunderbolt port that lets hackers to deploy a malware to further infect other mac computers in the network as well.
One temporary relief about Thunderstrike exploit is it is just a proof of concept right now and yet to go wild. Apple frequently fixes security exploits found in Macs and iOS devices by issuing updates. Apple Macs get EFI firmware security updates to prevent any reported and publicly available firmware level vulnerabilities being exploited by hackers.
Thunderstrike is a recently reported EFI firmware vulnerability that allows malicious hackers to install untrusted code to the Boot ROM. Trammel Hudson gave a presentation about this vulnerability in a security conference 31C3.
What is Thunderstrike?
Hackers can install thunderstrike malware via externally available thunderbolt port on every mac computers. Once installed, it is not possible for users to remove it by reinstalling os x or by replacing hard disk drive. The bootkit installed in thunderbolt port firmware which is integrated to macbooks logic board. Thunderstrike can also hide from apple’s efi firmware update routines which makes it stealthy from being detected by any programs. Your Antivirus or Security softwares wont be of any help in this case, as the thunderbolt port firmware loads even before the bootrom loads. So it can run silently and can control the mac computer from very first instruction once installed by an hacker.
Did Apple aware about Thunderstrike?
Well, apple is aware about Thunderstrike security problem and fixed part of the vulnerability in latest Mac mini and iMac Retina Display models. The issue is yet to be fixed fully on new mac computers.
Hudson claims that thunderbolt ports option ROMs are writable from code that runs during the early boot and the bootkit could write copies of itself to new thunderbolt devices connected in same network wirelessly or via cables. The code can stay alive in some part of the network once a machine is infected.
How to Prevent Thunderstrike Malware Infection?
However, it requires hackers to get physical access to install thunderstrike malware as they need to connect with thunderbolt port atleast once. So it is important to keep your mac secure from unauthorized access till apple addresses the thunderstrike security flaw with an update. The bootkit installation takes little time so hackers need to spend atleast couple of minutes to infect your mac computer. Right now, this is the only available countermeasure suggested by hudson in his presentation.
He also mentions, there are other efi vulnerabilities still unfixed by apple, and it will take just few bytes of update to fix the old option rom vulnerability. Though, the latest Thunderstrike fix is more difficult to solve even by apple, it is yet to be made available publicly for any malicious hackers to take advantage.
If you have more questions in your mind about Thunderstrike Malware, do check out his blog at trmm to read the answers he gave for questions raised during the presentation at 32C3.
Thanks for reading and dont forget to share a word about this post with Twitter, Facebook and Google+ friends. Have a great day!