Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Experimental Malware Shows Threat Posed by OS X Firmware Bootkits

Highly persistent Mac OS X firmware bootkits can be installed on Apple computers, giving attackers full control of the device, a researcher has warned.

Highly persistent Mac OS X firmware bootkits can be installed on Apple computers, giving attackers full control of the device, a researcher has warned.

At the Chaos Communication Congress (31C3) that took place in Germany in late December, researcher Trammell Hudson demonstrated the capabilities of an experimental piece of malware that can be installed on the EFI (Extensible Firmware Interface) boot read-only memory (ROM) of Apple MacBooks through the Thunderbolt port.

Dubbed “Thunderstrike” by the expert, the bootkit can be installed within minutes by an attacker who has physical access to the targeted device (i.e. an “evil maid” attack). The threat is also capable of copying itself to Thunderbolt devices connected to the initially infected machine, which enables it to easily spread to other computers.

Thunderstrike doesn’t have a malicious payload, but the researcher says a weaponized version of the bootkit would be highly dangerous. First of all, it would be difficult to detect because there are no systems in place for identifying firmware rootkits on OS X. Furthermore, the malware is stealthy because it can hide by leveraging the system management mode (SMM).

In addition to being difficult to detect, the bootkit is difficult to remove. Reinstalling OS X doesn’t help because the threat is independent of the operating system, and replacing the hard drive is useless because none of the malware’s components are stored on it. Attempts to replace the firmware by using regular methods are made ineffective by Thunderstrike since it changes the RSA public keys in the boot ROM. Hudson noted that firmware passwords do not prevent this type of attack.

Once installed, the bootkit controls the system from the first instruction, which enables it to inject backdoors into the OS X kernel, log keystrokes, and perform other malicious tasks on behalf of its master.

The experimental OS X firmware bootkit developed by Hudson has been successfully tested on MacBooks, but it also works on Mac Mini and iMac with Retina display devices.

Hudson says he’s not aware of any such Mac OS X firmware bootkits in the wild.

“Apple has a partial fix that they have started shipping in the new Mac Mini’s and iMac Retinas, and they plan to release it for older Macs soon as a firmware update. Their fix is to not load Option ROMs during firmware updates, which is effective against the current proof-of-concept,” the expert said.

“However… it is not a complete fix. Option ROMs are still loaded on normal boots, allowing snare’s 2012 attack to continue working. Older Macs are subject to downgrade attacks by ’updating’ to a vulnerable firmware version,” he noted.

Hudson is not the only one who presented firmware attacks at the 31C3 security conference. Researchers Rafal Wojtczuk and Corey Kallenberg disclosed several serious UEFI vulnerabilities affecting various vendors.

Additional technical details on the Thunderstrike OS X firmware bootkit are available on Hudson’s blog.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.