Macs are vulnerable to Thunderstrike 2 firmware malware that survives formatting

Macs have long been touted as being immune to viruses and malware -- but there have been plenty of vulnerabilities that show this to be a fallacy. Apple's own claims that its hardware was not susceptible to the same firmware security flaws as PCs served only to encourage people to prove the company wrong.

At Black Hat USA on Thursday, researchers will demonstrate that not only can Macs be remotely infected with malware, but that this malware can survive a user formatting the system. In a talk at the InfoSec event in Las Vegas that focuses on all manner of security topics, Trammell Hudson, Xeno Kovah, and Corey Kallenberg will show that Macs are just as vulnerable to remote attacks as PCs using the Thunderstrike 2 backdoor.

Thunderstrike 2 is impressive in its efficacy. The malware can be remotely installed and can spread between Macs even if they are air-gapped or not networked. The way Thunderstrike 2 locks itself into firmware means that the infection remains in place even if OS X is wiped out and reinstalled; it is also very difficult for security software to detect, let alone do anything about. Xeno Kovah says:

For most users that's really a throw-your-machine-away kind of situation. Most people and organizations don't have the wherewithal to physically open up their machine and electrically reprogram the chip.

The world will get a chance to see the attack in action at Black Hat USA later in the week. The billing for the demonstration says:

This talk will provide conclusive evidence that Macs are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.

Apple has previously stated that in order to become infected with firmware malware, direct physical access to a Mac is required. The team behind the revelation is not entirely new to this: it is the same team who demonstrated the LightEater vulnerability that afflicted millions of BIOSes. Although there is a widely-held belief that Macs are more secure than PCs, the counter-argument is that this is simply because of the numbers involved. There are far more PCs in use than Macs, so it make sense for a malware peddler to hit as many system as possible with PC-specific attacks.

Thunderstrike 2 will also be demonstrated at Def Con this weekend.