MacBook users are being warned about a new piece of malware dubbed Thunderstrike that can infect their devices using the Thunderbolt port.
US-based online security expert Trammell Hudson revealed the security hole at the Chaos Computer Congress (CCC) in Germany.
The rootkit malware can be loaded and installed onto the computer using Thunderbolt-enabled devices, writing custom code to a MacBook's boot ROM. It can also easily be transferred between machines using the port.
Hudson explained how sitting inside the computer's ROM, rather than the hard drive, means it can go undetected, allowing hackers access to a computer's confidential files without the user knowing.
He said: "For an attacker with sufficient Option ROM space, the job is done: put your payload in the device's ROM, pass a pointer to it to process firmware volume and it will be flashed for you.
"Option ROMs can circumvent flash security by triggering recovery mode boots with signed firmware and causing the untrusted code to be written to the ROM. And the attacker now controls the signing keys on future firmware updates, preventing any software attempts to remove them."
Although previous research into how malware can be used on Macs demonstrates the computer is more likely to be rendered useless when the ROM is rewritten using software, Hudson discovered this isn't the case with Thunderstrike. It could allow hackers to embed new codes to make it behave differently.
"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.
Apple is reportedly issuing a partial fix for the security hole, which will be rolled out as a firmware update.
