If you own an Apple Laptop, then you should be aware of the newest virus that could affect your computer system. The virus can covertly watch your computer use or even leak sensitive data held on your machine. The virus is virtually undetectable on your laptop and you will not be able to remove it at all.
A security expert has found a way to install malicious code on a tiny chip built into Apple laptops which would resist any attempt at removal – even replacing the entire hard disk will not delete it.
The attack, which is being called Thunderstrike, is virtually undetectable and would require an attacker to get access to a machine for mere moments. And because it is new, no security software will even be looking out for it.
Trammell Hudson, who works for New York hedge fund Two Sigma Investments, said that the discovery came about when his employer asked him to look into the security around Apple laptops.
“We were considering deploying MacBooks and I was asked to use my reverse engineering experience to look into the reports of rootkits on the Mac,” he wrote in an annotated version of a talk he gave at the 31C3 conference.
His first step was dismantling one of the laptops to get access to the boot ROM, a small chip which contains the code which gets the computer up-and-running when first switched on, before the main operating system is even loaded.
Malicious code can be hidden in this ROM which, unlike a normal virus which resides on the hard disk, cannot be removed. This is known as a bootkit attack. That code can be made to do anything an attacker wishes, from covertly observing the user to leaking sensitive data held on the machine.
Although previous researchers have found that modifying the contents of the ROM in Apple laptops results in the computer being rendered completely unusable, as security measures look for any changes and shuts down if it finds them, Hudson was able to circumvent these checks and install any code he wished.
He said that these security measures were always “doomed to fail” and “futile” because anyone who can get access to the contents of the ROM can also get access to the code which checks the ROM for changes. Instead, he says, there should be some unchangeable hardware chip which performs the checks.
It was further found that the attack could be made without physically taking the machine apart to get to the chip, simply by using the Thunderbolt port. Theoretically any device – a monitor, hard disk or printer – could be used to install malicious code, just by plugging it in following simple steps.
“Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said.
“It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.
“Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption.
Thunderstrike in its current form has been effective against every MacBook Pro/Air/Retina with Thunderbolt that I’ve tested, which is most models since 2011.”
Hudson says that Apple is rolling-out a “partial fix” as a firmware update which would stop the ROM being overwritten with malicious code in some circumstances, but not all – such as when a machine is rebooted with a malicious Thunderbolt device plugged-in. He first approached the company about the flaw in 2013 but says that some laptops are still vulnerable as hackers could trick machines into “downgrading” software to a version that doesn’t include the new fix, then attacking the machine.
His only suggestion to prevent the attack is to write over the ROM with your own code which disables any such remote attacks via the Thunderbolt port, and then to paint over the screws on your laptop with nail varnish to detect any unauthorised physical access to the ROM. However, this sophisticated measure is as time-consuming as it is out-of-reach to all but the most advanced security experts.
Apple was approached for this story but offered no comment.
Source: The Telegraph