A security researcher has discovered a way to infect Macs with malware virtually undetectable and that ‘can’t be removed.’
The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.
“It turns out that the Thunderbolt port gives us a way to get code running when the system boots,” Wrote Hudson. “Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run.”
“Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said.
And once it is on your system, it is incredibly hard to remove.
“It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.”