A new type of Apple malware is being called “undetectable” and “unstoppable” by security researchers, putting further doubt in the belief that Apple is the safer, more secure operating system.
The new malware is in the proof-of-concept stage at this point. Researchers have proved that this type of virus could exist, and it might already exist in the world, but nobody knows for sure.
What happened to Apple’s virus-free claim?
For years, Apple was the darling of the computer security world. Throughout the 1990s and early 2000s, Apple was seemingly impenetrable to malware and viruses.
But in the last few years, things have changed. In 2013, Forbes wrote an article entitled, “Yes, Apple Really Does Have a Serious Problem With Computer Viruses And Malware”.
Serious vulnerabilities have been discovered in the Apple ecosystem. The Flashback virus from 2011 infected approximately 600,000 Mac computers and shattered the belief that Macs were virus-free.
Then, in 2014, the Shellshock virus was discovered on Macs after lying dormant since the 1980s, during which time any number of people could have exploited it.
Making matters worse was how Apple responded to these viruses: they didn’t. Instead of issuing an immediate fix, Apple seemed to ignore virus problems hoping they would just go away. When Apple did release a fix, they often messed it up, or released it too late to help the majority of infected users.
In short, Apple was taking the same lackluster approach to security that it had accused Microsoft of using over the past few decades.
How this new malware works
This new malware is still in the proof-of-concept stage at this point. That means researchers have created a working version of the malware and proved that it could exist. Here’s how this new “undetectable” and “unstoppable” malware works:
-The exploit is called Thunderstrike
-Thunderstrike currently cannot be detected or removed by any known process or software. You actually have to install specialized hardware to remove it.
-It was created by security researcher Trammell Hudson, who demonstrated how to use a Thunderbolt peripheral to load a bootkit onto the device’s Option ROM.
-Option ROMs are optional or peripheral-specific blocks of memory which were first deployed in the 1980s as a way to store critical programs or retrieve peripheral-specific blocks of memory.
-These Option ROMs launch early in the boot process and actually “hook” to the BIOS. They do this in order to facilitate a network boot or boot from a device.
-The exploit is injected directly from the infected Thunderbolt device’s Option ROM into the system’s extensible firmware interface, or EFI
-The user sees nothing but a longer-than-normal boot cycle
Sorry: I may have lost a few of you in all the tech talk above. I’ll put this attack in a more down-to-earth way. Someone could walk past your Mac computer, quietly plug a Thunderbolt device in, then hold down the power button to immediately self-install an undetectable piece of malware on your device.
Same exploit used by the NSA
Edward Snowden revealed that the NSA intercepts hardware en route from Dell, HP, and other manufacturers. It modifies that hardware with rootkits and spyware, and then uses that software to spy on users once the hardware reaches its final destination.
Just like the NSA’s exploit, this Apple exploit relies on intercepting a device and installing malware using device firmware instead of exploiting software or online exploits.
That’s why some are calling the Thunderstrike exploit “worth their weight in gold to the various national intelligence agencies of the world.”
Apple already preparing a fix
Apple, surprisingly enough, is promptly responding to this security threat. It is already preparing a firmware patch that will refuse to load Option ROMs during firmware updates, which could make this hole more difficult – but not impossible – to exploit.