Tuesday, 4 August 2015

Researchers Develop Worm That Infects Mac Firmware

Researchers have developed a worm that can infect the firmware of Mac computers to infect other Macs again from there. Even if they are not connected to each other via a network. Not only is to detect the attack difficult, but also the prevent or resolve an infection would almost be impossible.

"For most users, this would mean that they should throw away their computer. Most people and organizations do not have the expertise to open their machine and the electronic chip to be reprogrammed," says researcher Xeno Kovah opposite Wired .Kovah conducted with researcher Trammell Hudson investigating the firmware attack. The two will present their findings this week at the Black Hat conference in Las Vegas show.


Firmware, with PCs often referred to as BIOS or UEFI, is essential for the operation of the system, and the first software that is loaded. An infected firmware can survive a new installation of the operating system or replace the hard drive. In the past Kovah discovered along with another researcher for several vulnerabilities in the BIOS of the PC. Now it appears that the same vulnerabilities are also present in Mac computers. "Almost all the attacks we found for PCs also work on the Mac," said Kovah.

The researchers decided to inform Apple. One of the vulnerabilities has been fixed, while another has been partially solved.Three vulnerabilities but are still waiting for an update. Through the vulnerabilities it is then possible to create a worm that can spread unnoticed among MacBooks, say the researchers. Because the worm is beyond the operating system, which will not be noticed. The malware has only seconds to infect the firmware and the attack can be carried out remotely, for example by sending an infected email attachment.

Once infected, the malware can infect the firmware of Thunderbolt devices. These devices will, when connected to another Mac that infect computer. Another problem, according to the investigators that security does not check the contents of firmware. To prevent firmware attacks and advise Hudson Kovah manufacturers allow only signed firmware and firmware updates, and hardware, for example, is equipped with a physical switch that prevents unwanted updating the firmware. The researchers also video below in which the attack is demonstrated.

No comments:

Post a Comment