Thunderstrike 2, New Zero-Day Vulnerability

The Bad News: With every Black Hat season comes new vulnerabilities and zero-day exploits for our precious devices. According to, Xeno Novah and Trammell Hudson have found a serious exploit that potentially impacts all Apple devices. TechCrunch reports that this “firmworm” helps malware completely disable Apple devices, leaving users with no way to reboot their machines.

Thunderstrike 2 targets a device’s firmware through potentially any Thunderbolt linked accessory. Through receiving malicious code in an email or online link the malware looks for connected Thunderbolt accessories and infects them with its Option ROM. If the infected Thunderbolt accessory is connected when the device turns on, the malicious code targets firmware Basic Input/Output System (BIOS) for booting the device. The Extensible Firmware Interface (EFI) will execute Option ROM on Thunderbolt attachment before it boots OSX. The malicious code will infect the EFI itself and the device can be rendered inert and unfixable. If EFI is compromised, there is no way to reboot OSX, update firmware and remove malicious code. Additionally, the infected accessory device remains infected, and will infect other devices if connected.

This exploit news is not totally unexpected, a deluge of exploits is normal during Black Hat conference season, afterall. Uncomfortably, perhaps, it also comes in the wake of another Mac exploit last month. Stefan Esser found the DYLD exploit that allowed attackers to gain root privilege. There has been some evidence of adware creators using this vulnerability to install unwanted adware applications like VSearch, Genieo, and MacKeeper on users devices, also disabling the Mac App Store.


Apple has already fixed DYLD in El Capitan’s beta but not in Yosemite, and has also already added applications using these exploits to the malware blacklist.

The Good News: According to a recent report from Ars Technica Apple have already partially patched this vulnerability in OS X 10.10.4, so fully updated users should be OK. Per Ars Technica Hudson has posted more information about the exploit here. According to Hudson, thanks to the update Macs are no longer “trivially vulnerable” but insists there are several vulnerabilities still. The pair of researchers will present more on the topic tomorrow at the Black Hat conference. To be extra careful until the fixes are formalize, be careful downloading (as always) and unplug any Thunderbolt accessories before booting your device. As Ars Technica‘s Andrew Cunningham points out, the real trouble with firmware-level malware is that most virus scans and anti-malware services search only in RAM and files stored on the desk. An infected accessory is difficult to detect, and just as tough to remove. Cunningham demonstrates that “You can’t use Thunderstrike to remove Thunderstrike” because, amazingly, the infected firmware patches the original security flaw.

Photo by Trammell Hudson

Lastly, these exploits don’t only impact Apple’s devices. The exploits are common to most EFI firmware, including PCs by Dell, HP, Lenovo, Samsung, and more. However, numerous vulnerabilities also applied to Mac’s firmware, and Apple has only succeeded so far in partially fixing these issues.