Thunderstrike Malware: Could It Still Be a Threat to Your Mac?

Back in 2015, a proof-of-concept piece of Mac malware arrived under the name Thunderstrike. The name was chosen because the software specifically used the Thunderbolt port in newer Macs as its infection vector, and it was designed to use an ethernet adapter as its carrier. Apple addressed the issue with the Mac OS X 10.10.2 Update, which inoculated Yosemite. All subsequent versions of macOS have included the fix, but pre-Yosemite Macs with Thunderbolt ports remain at risk.

Thunderstrike graphic from comic book

However, that wasn’t the end of the story. Although it didn’t come to light for two years, it appears that the CIA was behind Thunderstrike as a tool for hacking Macs. The CIA’s targeting of Macs goes back to at least January 2009 and worked by installing a driver into the Mac’s EFI that could not be readily removed. An early version, known as Triton, required administrative access to a Mac running OS X 10.7 Lion or 10.8 Mountain Lion (OS X 10.6 Snow Leopard works differently, and the earliest Macs with Thunderbolt shipped with OS X 10.6.6), not giving it much of a vector for infection.

Thunderstrike was a proof of concept and is not known to have made it into the wild because it required physical access and administrative access for installation.

A later version of the CIA’s malware (late 2012), known as Der Starke, specifically addressed OS X 10.8 Mountain Lion and 10.9 Mavericks and used a USB device as its infection vector. It even included a tool known as Sonic Screwdriver (with a tip of Tom Baker’s floppy hat to Doctor Who fans) for bypassing the Mac’s firmware password.

Thunderstrike 2

That’s the back story, but the story of Thunderstrike continues with a later version, Thunderstrike 2, which could be distributed as an email attachment and didn’t require physical access to the Mac under attack. It arrived in August 2015, and Apple partially addressed it with Mac EFI Security Update 2015-001, and the OS X 10.10.4 update made Macs much less vulnerable to such an infection.

Thunderstrike 2 had a fascinating infection vector. Any Thunderbolt accessory – but only Thunderbolt accessories – could potentially be infected and spread Thunderstrike 2 to the next Mac it was plugged into. An infected Mac could still be infecting Thunderbolt accessories today, although with the limited number of Thunderbolt accessories that get moved from one Mac to another, that’s a low percentage game for spreading malware.

To answer the question in the title of this article, yes, Thunderbolt 2 could potentially be a threat, and the worst part is that you may not even be aware that your Mac is infected. As noted by Motherboard in 2017, some Macs have never had EFI updates available to patch this issue and others have never had the protective EFI updates installed – without a word of warning from their Macs. Part of this is due to the way Apple bundles EFI updates with macOS updates and doesn’t tell you if the EFI update installed correctly or not.

Duo Labs has released a free utility, EFIgy, that will report whether your Mac’s EFI firmware is up to date.

macOS 10.13 High Sierra has a feature that checks your Mac’s EFI weekly to see if it has been modified and alert you should that be the case. This should provide some protection against this type of attack in the future.

It’s All About EFI

This kind of attack is not limited to Macs, although any Mac with a Thunderbolt port is vulnerable to this type of attack. PCs with EFI firmware are also vulnerable to this kind of attack, but the CIA was looking for a way into Macs, which tend to be a more obscure target because of their lower market penetration and use of a BSD Unix-based operating system.


Keywords: #thunderstrike #thunderstrike2 #macmalware #thunderbolt #efifirmware #efiinfection #efimalware

Short link: