Thunderstrike MacBook malware attacks computers via Thunderbolt port

The Thunderstrike malware goes undetected in the system and sits inside the ROM

MacBook users are being warned about a new piece of malware dubbed Thunderstrike that can infect their devices using the Thunderbolt port.

US-based online security expert Trammell Hudson revealed the security hole at the Chaos Computer Congress (CCC) in Germany.

The rootkit malware can be loaded and installed onto the computer using Thunderbolt-enabled devices, writing custom code to a MacBook's boot ROM. It can also easily be transferred between machines using the port.

Advertisement - Article continues below

Hudson explained how sitting inside the computer's ROM, rather than the hard drive, means it can go undetected, allowing hackers access to a computer's confidential files without the user knowing. 

He said: "For an attacker with sufficient Option ROM space, the job is done: put your payload in the device's ROM, pass a pointer to it to process firmware volume and it will be flashed for you.

"Option ROMs can circumvent flash security by triggering recovery mode boots with signed firmware and causing the untrusted code to be written to the ROM. And the attacker now controls the signing keys on future firmware updates, preventing any software attempts to remove them."

Although previous research into how malware can be used on Macs demonstrates the computer is more likely to be rendered useless when the ROM is rewritten using software, Hudson discovered this isn't the case with Thunderstrike. It could allow hackers to embed new codes to make it behave differently.

Advertisement - Article continues below
Advertisement - Article continues below

"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.

Apple is reportedly issuing a partial fix for the security hole, which will be rolled out as a firmware update.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020