Insecurity despite Obscurity: Thunderstrike 2 Rootkit Can Now Infect Macs Remotely

Earlier this year, security researcher and engineer Trammell Hudson came out with a proof-of-concept malware that could lie dormant in any Thunderbolt accessory, and then infect the OSX device that the accessory gets plugged into. Dubbed ‘Thunderstrike’ by its creator, it was touted to be the first of its kind, and the implications tied to being infected by it (having the affected device become permanently backdoored) was deemed serious enough that Apple had to address it with a patch of its own.

Thunderstrike 2

Now it seems that Hudson has come up with a sequel to his brainchild, with ‘Thunderstrike 2’, an improved version that has the same backdoor capabilities as its predecessor, but with one main difference: it doesn’t need physical access to propagate. Rather, it can do so remotely, by way of a phishing email and/or malicious website.

Once it is downloaded onto a system through those infection vectors, it will then proceed to infect any accessories connected to the system that use Option ROM (an example commonly cited is Apple’s Thunderbolt-to-gigabit Ethernet accessory). From there, the accessory is now ‘loaded’ and thus can infect any Mac that it is plugged into. After that, it’s just a matter of the infected Mac rebooting in order for the malware to run.

As of this writing, Apple has rolled out another patch to solve this issue, but Trammell Hudson believes that it is only a partial fix to the problem, and that there are several vulnerabilities that Apple needs to fix in order to fully eradicate it.

Mac Myth-Busting

This is another blow to the Mac’s much-touted "security through obscurity", or the old thinking that Macs were safer than PCs. To be more accurate, there just aren't as many threats designed to affect Macs, as compared to the PC platform. But security that relies on cybercriminals overlooking a particular platform simply because of its low customer base is no security after all. Not only are OSX devices becoming much more popular as more people and businesses use Apple devices, but cybercriminals are ever-widening the scope of their attacks to get the most number of victims (and revenue) by resorting to cross-platform attacks.

What also makes attacks like Thunderstrike and its successor dangerous is how it attacks the firmware of the system it infects, rather than its files or RAM. Such threats are difficult to detect and remove, as rootkits tend to be. The fact that Thunderstrike also patches the security hole that allows it to infect a system in the first place means you can’t use the same method to remove it.

Users, no matter what platform, need to be protected, and relying on cybercriminals’ oversight is no way to stay safe. Installing a security solution, as well as following best security practices and safe online habits is key to defending against cyber-attacks.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.