Software engineer Tramwell Hudson has discovered a way for a Mac computer to be infected with a virtually undetectable and almost impossible to remove piece of malware via the Thunderbolt port.
Nicknamed “thunderstrike”, this piece of firmware can be loaded onto a thunderbolt ethernet cable adapter, and when the computer is turned on, it overwrites your existing ROM file.
The ROM is some of the first code to be run on your computer when it is turned on. If this is compromised, any other tampering is possible.
“...there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said.
After it has been installed, it is extremely hard to remove. Even replacing the hard drive won’t work!
“It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.”
Hudson has shared these information with Apple, who is working on an update to remove this vulnerability.
This is not the first time external hardware has come preloaded with malware.
The Department of Defense banned all USB flash drives in 2008 for fear of them containing malicious code.
The infamous Stuxnet that disrupted Iran’s uranium enrichment facilities was also delivered via USB.