Thunderstrike 2: What you need to know

Thunderstrike 2 is the latest in a line of OS X 10.10 Yosemite security vulnerabilities that, due to sensationalized reporting, are often a greater risk to customer stress levels than they are actual physical hardware. Still, as reported by Wired, Thunderstrike 2 is absolutely something every Mac owner should be aware of and informed about. So let's do that.

What's a firmware worm?

A firmware worm is a type of attack that targets the part of a computer responsible for booting it up and launching the operating system. On Windows machines, that can include BIOS (Basic Input/Output System). On the Mac, it's EFI (Extensible Firmware Interface).

Bugs in BIOS or EFI code create vulnerabilities in the system that, if not otherwise defended against, can be exploited by malicious programs like firmware worms, which try to infect one system and then "worm" their way onto others.

Because firmware exists outside the operating system, it's typically not scanned for or otherwise detected and isn't erased by a re-installation. That makes it much harder to find and harder to remove. In most cases, you'd need to re-flash the firmware chips to eradicate it.

So Thunderstrike 2 is a firmware worm targeting the Mac?

Yes. The story here is that some researchers decided to test whether or not previously discovered vulnerabilities in BIOS and EFI existed on the Mac as well and, if they did, whether or not they could be exploited.

Because booting up a computer is a similar process across platforms, most firmware shares a common reference. That means there's a likelihood that discovering an exploit for one type of computer means the same or similar exploit can be used on many or even most of computers.

In this case, an exploit affecting a majority of Windows computers also affects the Mac, and researchers were able to use it to create Thunderstrike 2 as a proof-of-concept. And, in addition to being downloadable, to show that it can also be spread by using the Option ROM—the accessory firmware called by the computer firmware—on peripherals like a Thunderbolt adapter.

That means it can spread without the Internet?

It's more accurate to say it can spread over the internet and via "sneakernet"—people walking around and plugging an infected Thunderbolt accessory into one or multiple machines. What makes that important is that it removes "air gapping"—the practice of keeping computers disconnected from each other and the internet—as a defense.

Has Apple fixed Thunderstrike 2 yet?

Of the six vulnerabilities the researchers tested, five were found to affect the Mac. The same researchers said that Apple has already patched one of those vulnerabilities and partially patched another. OS X 10.10.4 breaks the proof-of-concept by restricting how Thunderstrike can get onto the Mac. Whether OS 10.10.5 breaks it even more, or proves to be even more effective at preventing this type of attack altogether, remains to be seen.

Is there anything that could be done to make firmware safer in general?

Cryptographically signing both the firmware and any firmware updates could help. That way nothing would be installed that didn't have Apple's signature and the chances of fraudulent and malicious code infecting EFI would be reduced.

How worried should I be?

Not very. Attacks against EFI aren't new and using peripherals as attack vectors aren't new. Thunderstrike 2 circumvents protections put in place to prevent the original Thunderstrike and combines both internet and sneakernet attack vectors, but it's in the proof-of-concept stage right now and few if any people need to to worry about it in the real world.

In the meantime, the usual advice applies: Don't click on links, download files, or plug in accessories that you don't absolutely trust.

Nick Arnott contributed to this article

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.