Skip to main content

Thunderstrike 2: What you need to know

Thunderstrike 2 is the latest in a line of OS X 10.10 Yosemite security vulnerabilities that, due to sensationalized reporting, are often a greater risk to customer stress levels than they are actual physical hardware. Still, as reported by Wired, Thunderstrike 2 is absolutely something every Mac owner should be aware of and informed about. So let's do that.

What's a firmware worm?

A firmware worm is a type of attack that targets the part of a computer responsible for booting it up and launching the operating system. On Windows machines, that can include BIOS (Basic Input/Output System). On the Mac, it's EFI (Extensible Firmware Interface).

Bugs in BIOS or EFI code create vulnerabilities in the system that, if not otherwise defended against, can be exploited by malicious programs like firmware worms, which try to infect one system and then "worm" their way onto others.

Because firmware exists outside the operating system, it's typically not scanned for or otherwise detected and isn't erased by a re-installation. That makes it much harder to find and harder to remove. In most cases, you'd need to re-flash the firmware chips to eradicate it.

So Thunderstrike 2 is a firmware worm targeting the Mac?

Yes. The story here is that some researchers decided to test whether or not previously discovered vulnerabilities in BIOS and EFI existed on the Mac as well and, if they did, whether or not they could be exploited.

Because booting up a computer is a similar process across platforms, most firmware shares a common reference. That means there's a likelihood that discovering an exploit for one type of computer means the same or similar exploit can be used on many or even most of computers.

In this case, an exploit affecting a majority of Windows computers also affects the Mac, and researchers were able to use it to create Thunderstrike 2 as a proof-of-concept. And, in addition to being downloadable, to show that it can also be spread by using the Option ROM—the accessory firmware called by the computer firmware—on peripherals like a Thunderbolt adapter.

That means it can spread without the Internet?

It's more accurate to say it can spread over the internet and via "sneakernet"—people walking around and plugging an infected Thunderbolt accessory into one or multiple machines. What makes that important is that it removes "air gapping"—the practice of keeping computers disconnected from each other and the internet—as a defense.

Has Apple fixed Thunderstrike 2 yet?

Of the six vulnerabilities the researchers tested, five were found to affect the Mac. The same researchers said that Apple has already patched one of those vulnerabilities and partially patched another. OS X 10.10.4 breaks the proof-of-concept by restricting how Thunderstrike can get onto the Mac. Whether OS 10.10.5 breaks it even more, or proves to be even more effective at preventing this type of attack altogether, remains to be seen.

Is there anything that could be done to make firmware safer in general?

Cryptographically signing both the firmware and any firmware updates could help. That way nothing would be installed that didn't have Apple's signature and the chances of fraudulent and malicious code infecting EFI would be reduced.

How worried should I be?

Not very. Attacks against EFI aren't new and using peripherals as attack vectors aren't new. Thunderstrike 2 circumvents protections put in place to prevent the original Thunderstrike and combines both internet and sneakernet attack vectors, but it's in the proof-of-concept stage right now and few if any people need to to worry about it in the real world.

In the meantime, the usual advice applies: Don't click on links, download files, or plug in accessories that you don't absolutely trust.

Nick Arnott contributed to this article

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

17 Comments
  • Those same researchers note that apple has known for months about this newer virus and has done very little to close the door. Only 10.11 was noted as being fixed for all 6 vulnerabilities.
  • "apple has known for months about this newer virus" I'll say this slowly so you can understand... "IT'S NOT A VIRUS!!!" If you want to call allowing a hacker to get hold of your Mac, and allowing said hacker to plug a drive into your Mac's Thunderbolt port to install the exploit a "virus", then we would need to rewrite the definition of the word in every dictionary in the world. A friend of mine gave this analogy: "Oh, hello Mr. Burglar. Please come in. Look, I'll just mosey off for a coffee for a while. Here's are the combinations to the safe in the bedroom, and the more important safe hidden in the basement behind the Elvis painting. And I've got a bunch of cash hidden in the mattress. Oh no! Oh no! I'm going to write an inflammatory article about how the designer of my house didn't fully protect me."
  • This new exploit is already being implemented via web sites. It has nothing to do with plugging in a local cable. Please learn to read ViewRoyal before spewing.
  • I think you're thinking of DLYD and not Thunderstrike?
  • This isn't technology right, the virus thing on firmware worms is right, however the fact that not all of these exploits need to happen over a physical connection and two of them can actually be downloaded and cause issues.
  • Apple will fix this when they feel we are ready for it. Sent from the iMore App
  • As usual, your measured and non-sensational response to such stories is appreciated.
  • Maybe but not when it comes to Android security flaws then he uses that to get you to switch to iPhone.. And no I am not denying there is not a problem on Android (there is) but he doesn't like fud but still spreads it. I will now go away and be less grumpy.
  • Thanks, Rene, for explaining this. I was wondering if this was more a proof-of-concept over an actual attack. I'm sure Apple is working on fixing this. One thing you didn't mention, the video I saw stated that some Macs were vulnerable, indicating that it isn't across the board. Also, the part where it can be transferred to another Mac, well, isn't that only with Thunderbolt, and I wonder if this is only with certain devices again, and not all. ...In any case, any older Mac without Thunderbolt, wouldn't be able to transfer/worm it...have I got that right?
  • I expect to see a mad dash of cheap Thunderbolt to Ethernet adapters and Thunderbolt SSD enclosures on eBay. Great way to infect the cluless
  • Why does it have to be only cheap devices? Bribe a worker at any plant to add this on any product.
  • The last pragraoh is all that I needed to hear. Lol.
  • Ok really dumb question here... this affects thunderbolt accessories, would this mean my 12" MacBook is not affected or can this worm infect any accessories, like USB too? Obviously (as always) download files, and email links need to be from a trusted source.
  • So, if this thing actually gets out into the wild, we have this group [proof-of-concept] to thank. Check. Are the people who invent computer attacks, regulated in any way, shape, or form. Holy cow!
  • It's not a huge deal, although, of course, it should get fixed. You'd almost have to try to get this if you're technically savvy at all... and most naive users probably don't use TB. Still, good to know about it. That said, the media circus around this has been ridiculous. (Of course, we all know Wired is a shill.) This almost ranks up there with the Jeep (supposedly, even though impossible) being hacked. LOL
  • my mother in-law recently got a new BMW just by parttime work from a pc online. why not look here >>> +__+__+__+__+__+__+__+
    WWW.NetPro8.C­O­M