While looking into the security of Apple notebooks for his employer Two Sigma Investments, security researcher Trammell Hudson discovered a way to infect Macs with malware that's virtually undetectable and extremely hard to remove. Hudson discovered the OS X firmware bootkit ROM can be infected by using a modified Apple gigabit Ethernet Thunderbolt adapter as an attack vector to get code running while the system boots.
The good news is someone needs physical access to your Mac to carry out the attack, but the bad news is that this type of malware is virtually undetectable and unremovable. Hudson points out that a reinstallation of OS X won't remove it and even replacing the SSD won't help because there is nothing stored on the drive.
Hudson claims every MacBook Pro/Air/Retina with a Thunderbolt port is vulnerable to the attack, but fortunately Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port.
After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system's Thunderbolt port.
"It turns out that the Thunderbolt port gives us a way to get code running when the system boots," Wrote Hudson. "Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run."
"The classic 'evil-maid' attacks also are feasible. Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption," explains Hudson. "So while you are getting breakfast at the hotel during a conference and leave the machine in your room and house-cleaning comes by to make up the bed, install the firmware backdoors, and replace the towels."