New Apple malware is undetectable, unstoppable, and can infect any Thunderbolt-equipped device

January 8, 2015 – 6:00 PM

Apple products have long enjoyed a reputation for superior security in relation to Windows systems, but a new proof-of-concept malware delivery method could put a serious dent in that reputation. The exploit, dubbed Thunderstrike, currently can’t be detected or removed by any known process without using specialized hardware. Security researcher Trammell Hudson has demonstrated how to use a Thunderbolt peripheral to load what he’s calling a “bootkit” via the device’s Option ROM.

Option ROMs are optional or peripheral-specific blocks of memory that were first deployed in the 1980s as a way of storing critical programs or retrieving peripheral-specific blocks of memory. They’re initialized early in the boot process and often “hook” to the BIOS to provide a bootable device or network boot. Thunderbolt devices contain their own Option ROMs, and Apple hardware checks these areas as part of its boot sequence.

The exploit package is injected from the infected Thunderbolt device’s Option ROM directly into the system’s extensible firmware interface (EFI). Official documentation on the EFI/UEFI standard, shown below, seems to imply that this is impossible, since the firmware is supposed to be locked by default.


You must be logged in to post a comment.