Connect with us

Hi, what are you looking for?


Malware & Threats

Experimental Malware Shows Threat Posed by OS X Firmware Bootkits

Highly persistent Mac OS X firmware bootkits can be installed on Apple computers, giving attackers full control of the device, a researcher has warned.

Highly persistent Mac OS X firmware bootkits can be installed on Apple computers, giving attackers full control of the device, a researcher has warned.

At the Chaos Communication Congress (31C3) that took place in Germany in late December, researcher Trammell Hudson demonstrated the capabilities of an experimental piece of malware that can be installed on the EFI (Extensible Firmware Interface) boot read-only memory (ROM) of Apple MacBooks through the Thunderbolt port.

Dubbed “Thunderstrike” by the expert, the bootkit can be installed within minutes by an attacker who has physical access to the targeted device (i.e. an “evil maid” attack). The threat is also capable of copying itself to Thunderbolt devices connected to the initially infected machine, which enables it to easily spread to other computers.

Thunderstrike doesn’t have a malicious payload, but the researcher says a weaponized version of the bootkit would be highly dangerous. First of all, it would be difficult to detect because there are no systems in place for identifying firmware rootkits on OS X. Furthermore, the malware is stealthy because it can hide by leveraging the system management mode (SMM).

In addition to being difficult to detect, the bootkit is difficult to remove. Reinstalling OS X doesn’t help because the threat is independent of the operating system, and replacing the hard drive is useless because none of the malware’s components are stored on it. Attempts to replace the firmware by using regular methods are made ineffective by Thunderstrike since it changes the RSA public keys in the boot ROM. Hudson noted that firmware passwords do not prevent this type of attack.

Once installed, the bootkit controls the system from the first instruction, which enables it to inject backdoors into the OS X kernel, log keystrokes, and perform other malicious tasks on behalf of its master.

The experimental OS X firmware bootkit developed by Hudson has been successfully tested on MacBooks, but it also works on Mac Mini and iMac with Retina display devices.

Hudson says he’s not aware of any such Mac OS X firmware bootkits in the wild.

Advertisement. Scroll to continue reading.

“Apple has a partial fix that they have started shipping in the new Mac Mini’s and iMac Retinas, and they plan to release it for older Macs soon as a firmware update. Their fix is to not load Option ROMs during firmware updates, which is effective against the current proof-of-concept,” the expert said.

“However… it is not a complete fix. Option ROMs are still loaded on normal boots, allowing snare’s 2012 attack to continue working. Older Macs are subject to downgrade attacks by ’updating’ to a vulnerable firmware version,” he noted.

Hudson is not the only one who presented firmware attacks at the 31C3 security conference. Researchers Rafal Wojtczuk and Corey Kallenberg disclosed several serious UEFI vulnerabilities affecting various vendors.

Additional technical details on the Thunderstrike OS X firmware bootkit are available on Hudson’s blog.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.