Thunderstrike 2 is the latest in a line of OS X 10.10 Yosemite security vulnerabilities that, due to sensationalized reporting, are often a greater risk to customer stress levels than they are actual physical hardware. Still, as reported by Wired, Thunderstrike 2 is absolutely something every Mac owner should be aware of and informed about. So let's do that.
What's a firmware worm?
A firmware worm is a type of attack that targets the part of a computer responsible for booting it up and launching the operating system. On Windows machines, that can include BIOS (Basic Input/Output System). On the Mac, it's EFI (Extensible Firmware Interface).
Bugs in BIOS or EFI code create vulnerabilities in the system that, if not otherwise defended against, can be exploited by malicious programs like firmware worms, which try to infect one system and then "worm" their way onto others.
Because firmware exists outside the operating system, it's typically not scanned for or otherwise detected and isn't erased by a re-installation. That makes it much harder to find and harder to remove. In most cases, you'd need to re-flash the firmware chips to eradicate it.
So Thunderstrike 2 is a firmware worm targeting the Mac?
Yes. The story here is that some researchers decided to test whether or not previously discovered vulnerabilities in BIOS and EFI existed on the Mac as well and, if they did, whether or not they could be exploited.
Because booting up a computer is a similar process across platforms, most firmware shares a common reference. That means there's a likelihood that discovering an exploit for one type of computer means the same or similar exploit can be used on many or even most of computers.
In this case, an exploit affecting a majority of Windows computers also affects the Mac, and researchers were able to use it to create Thunderstrike 2 as a proof-of-concept. And, in addition to being downloadable, to show that it can also be spread by using the Option ROM—the accessory firmware called by the computer firmware—on peripherals like a Thunderbolt adapter.
That means it can spread without the Internet?
It's more accurate to say it can spread over the internet and via "sneakernet"—people walking around and plugging an infected Thunderbolt accessory into one or multiple machines. What makes that important is that it removes "air gapping"—the practice of keeping computers disconnected from each other and the internet—as a defense.
Has Apple fixed Thunderstrike 2 yet?
Of the six vulnerabilities the researchers tested, five were found to affect the Mac. The same researchers said that Apple has already patched one of those vulnerabilities and partially patched another. OS X 10.10.4 breaks the proof-of-concept by restricting how Thunderstrike can get onto the Mac. Whether OS 10.10.5 breaks it even more, or proves to be even more effective at preventing this type of attack altogether, remains to be seen.
Is there anything that could be done to make firmware safer in general?
Cryptographically signing both the firmware and any firmware updates could help. That way nothing would be installed that didn't have Apple's signature and the chances of fraudulent and malicious code infecting EFI would be reduced.
How worried should I be?
Not very. Attacks against EFI aren't new and using peripherals as attack vectors aren't new. Thunderstrike 2 circumvents protections put in place to prevent the original Thunderstrike and combines both internet and sneakernet attack vectors, but it's in the proof-of-concept stage right now and few if any people need to to worry about it in the real world.
In the meantime, the usual advice applies: Don't click on links, download files, or plug in accessories that you don't absolutely trust.
Nick Arnott contributed to this article
We may earn a commission for purchases using our links. Learn more.
European consumer group demands compensation from Apple over batterygate
A consumer association is demanding compensation from Apple over claims it slowed down user's iPhones.
iPhone 12's 'high-end' camera production 4-6 weeks behind schedule
Estimates suggest production is currently 4-6 weeks behind.
Analyst claims Apple has a 10-year lead in wearables, and that's being kind
Apple analyst Neil Cybart has a new, lengthy post up touting Apple's wearables market amongst other things.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.