Thunderstrike Firmware Worm in Mac OS X

It’s that time of year again.  The Black Hat USA conference ends in Las Vegas today and DEF CON runs through this Sunday, August 9th.  The conferences will expose a new series of exploits that security researchers and hackers from around the world are sharing this week.  Xeno Kovah and Trammell Hudson discovered a new zero-day exploit in Mac OS X they named Thunderstrike 2 that attacks your Mac firmware through Thunderbolt external devices.  The worm could result in a bricked system.


Xeno Kovah and Trammell Hudson are presenting the Thunderstrike 2 zero-day exploit at the Black Hat conference in Las Vegas today.  The exploit is a proof of concept that shows how an attacker can brick your system.  Rather than spread online, the malware uses Thunderbolt external devices like a wifi adapter or hard drive to infect your firmware.  That means when you connect the same external hard drive to another system it would infect it as well.  Apple is already working on a fix for the exploit.

If you don’t use Thunderbolt external devices with your Mac then you aren’t at risk.  The new Thunderstrike 2 zero-day exploit is not spread online so you only need to be concerned if you connect an external device.  That differs from the DYLD vulnerability which leaves all Mac users at risk.  Apple is working on a fix for both Mac OS X Yosemite and El Capitan.  They have taken additional steps to help block the malware in the meantime.

Since the new Thunderstrike 2 exploit impacts the firmware there’s no chance for scanning software to find the malware.  That makes firmware exploits more dangerous since they remain undetectable.  You would initially receive the malware from a phishing email or malicious web site.  From there it would spread to the option ROM firmware of any external thunderbolt devices.  The worm would only spread if you connect the external device to another Mac system.

In years past many thought that Apple had a security advantage over Windows.  The list of vulnerabilities in Windows was quite large compared to Mac OS X.  While the numbers are still slanted it only takes a single zero-day exploit to brick your machine, regardless of which operating system it’s running.  The same could be said for the ever growing number of IoT devices.  As IoT devices spread throughout the world so will the exploits connected to them.

At the end of the day you can only do so much to secure your system.  Make sure to enable automatic updates (already set in Windows 10), keep your antivirus definitions up to date, and use multi-factor authentication whenever possible.  These steps along with strong passwords will keep you safe from most exploits.  We also suggest using a VPN to encrypt your data and help protect your online privacy.

A VPN service will help protect your online privacy and unblock sites from around the world. We support a free and open Internet.