Thunderstrike 2: A New Headache for Apple

Thunderstrike 2Apple has announced that the Thunderstrike 2 bug has been partly patched together in the OS X 10.10.4, which translates that this particular version of the bug should not at all be of immediate concern to fully updated Mac users. For confirmation, Trammell Hudson was approached for this matter.

Hudson has decided to post further details on the Thunderstrike 2 as well as Apple’s status on the fixes. He said that because of the OS X 10.10.4, Mac don’t happen to be trivially vulnerable to the bug. Though, he has listed multiple vulnerabilities that still need to be fixed by Apple. The company is well-informed of the said problems.

Roots of the Story

Security Engineer Trammell Hudson, earlier this year, had developed a proof-of-concept which he showed off. He called this the Thunderstrike. It was a malware incapable of hitching a ride onto Thunderbolt integrated accessories. Its main purpose was to infect any Mac device via cable based connections. Once a Mac is infected, the malware could be passed on to virtually any accessory connected to the device which will in turn infect other computers. It failed, so the new malware version was created.

Dubbed as the “Thunderstrike 2,” this new proof-of-concept attack continues to spread mainly through Thunderbolt-infected accessories. Where the original malware version flunked, it needed a malicious user to gain physical access to one’s personal computer to work. This was coined as the “evil maid” approach, or even an “evil butler” for that matter. The latter version, it could spread remotely and it is capable of being delivered through malicious websites and phishing e-mails. Once the user has unknowingly downloaded the new and highly revolutionized malware, it can infect any connected accessory that uses Option ROM, which is Apple’s accessory for Thunderbolt-to-gigabit-Ethernet connections.

What dangers this firmware-level malware imposes is that it is seemingly impossible to detect with most virus scanners along with anti-malware software products are more focused on desk files and RAM. The harder part would be tracking back the source since the malware activity itself remains invisible. More disturbingly, it’s a tough bug to remove. Thunderstrike cannot be used to be remove Thunderstrike given that the new malware patches the original firmware’s security hole.

The whole Thunderstrike issue is synonymous to the previous BadUSB proof-of-concept pointed towards attacking Mac hardware by reprogramming USB devices. But this time, it’s a different story. Thunderstrike 2 has transformed into a worm that is already signifying greater potential damages at its early stages. This causes a total frustration to the faithful users of Apple, questioning its security infrastructure that has proven ten-folds more durable than any Windows platform.