If you think Apple computers are safer than their Windows-powered cousins, think again.
Security researchers say they’ve crafted a computer worm that can burrow deep inside Mac computers, beyond the scrutiny of anti-virus scanners. From there, it can spread between devices that are not networked by hitching a ride on a Thunderbolt Ethernet adapter, writing itself into a machine’s firmware and remaining undetected.
The vicious worm, dubbed Thunderstrike 2, can even evade a whole system reboot.
“For most users that’s really a throw-your-machine-away kind of situation,” said Xeno Kovah, the head of security startup LegbaCore, who discovered the vulnerabilities and helped create the proof-of-concept worm, in an interview with Wired. “Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”
The research builds on work that Kovah and his associate Corey Kallenberg undertook last year. At the time, the team identified several vulnerabilities in the firmware of Dell, Lenovo, Samsung, and HP PCs.
In the latest probe, Kovah partnered with Trammell Hudson, a security engineer at investment management firm Two Sigma Investments. They found five-in-six of those previously uncovered bugs applied to Macs as well. The flaws are more pervasive than previously thought since many hardware makers share firmware code.
Unnervingly, the worm can be transmitted via unassuming computer accessories, like the aforementioned Ethernet adapter. That makes this attack a potential vector for compromising air-gapped computers, which are usually considered more secure.
“People are unaware that these small cheap devices can actually infect their firmware,” Kovah said. “If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”
According to Wired, most of the bugs remain unfixed. Apple has “fully patched one and partially patched the other. But three of the vulnerabilities remain unpatched,” writes Wired’s Kim Zetter. Apple did not immediately respond to Fortune‘s request for comment.