homeTech

Apple MacBook Virus Problems: Laptops Vulnerable to Virus That's Impossible To Remove?

WIKIMEDIA COMMONS

A virus that is virtually impossible to remove can be installed into Apple laptops using a malicious code on a tiny chip that is built into the computer, a security expert has revealed.

Trammel Hudson, who works for New York hedge fund Two Sigma Investments, said he found this out when his employer asked him to look into the security around Apple laptops.

"We were considering deploying MacBooks and I was asked to use my reverse engineering experience to look into the reports of rootkits on the Mac," Hudson said in an annotated version of a lecture he gave at the 31C3 conference, the Telegraph reported.

Hudson claimed he first dismantled one of the laptops to get access to the boot ROM, which is a small chip containing a code that gets the computer up-and-running when first switched on before the main operating system is even loaded.

He added that he was able to install a new code by circumventing security checks, which previous researchers said would render Apple laptops completely unusable should its ROM contents be modified.

The expert explained that security measures such as the one in Apple laptops that look for any changes and shuts down the machine if it finds them, were always "doomed to fail" and "futile" since anyone who can get access to the contents of the ROM can also get access to the code which checks the ROM for changes.

Unlike a normal virus that resides on the hard disk, he explained, the malicious code that is impossible to delete can be hidden in this ROM.

Hudson noted that replacing the entire hard disk of an infected Apple laptop cannot help delete the virus, according to the Telegraph.

Virtually impossible to remove, the security flaw that Hudson found leaves Apple users vulnerable to infection by malicious software that hackers could use to steal data.

Known as a bootkit attack, the malicious code can be made to do anything an attacker wishes – from covertly observing the user to leaking sensitive data held on the machine.

What is even more disturbing is an attack called Thunderstrike where the virus is virtually undetectable while the attacker gets access to the machine for mere moments.

"Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption. Thunderstrike in its current form has been effective against every MacBook Pro/Air/Retina with Thunderbolt that I've tested, which is most models since 2011," Hudson said.

Hudson also discovered that the attack could be made without physically taking the machine apart to get to the chip, simply by using the Thunderbolt port.

Theoretically any device such as a monitor, hard disk or printer could be used to install malicious code, just by plugging it in following simple steps, he claimed.

"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.

"It can't be removed by software since it controls the signing keys and update routines," he added, warning that reinstallation of OS X would not be able to delete it.

Hudson, who approached Apple upon the discovery in 2013, assured that the tech giant is rolling-out a "partial fix" or a firmware update that would stop the ROM being overwritten with malicious code.

He suggested that Apple should come up with an unchangeable hardware chip to resolve the security issue.