It has come to light that in November, last year, Apple acquired a security consultancy firm named LegbaCore. Trammel Hudson, a security researcher, had revealed this in December at the 32C3 conference. The acquisition was confirmed by Xeno Kovah through twitter and an announcement on the company website which informs that they will not be accepting any new customer engagements noting that the website would remain up “to serve as a reference for LegbaCore’s past work”. Kovah and fellow founder Corey Kallenberg had become Apple employees last November.
Together Trammel Hudson and Xeno Kovah had discovered the fist worm that affects Macs. Thunder-strike 2 is able to remotely access a device through the web or an e-mail. Once it finds refuge on a Mac system it begins to work on propagation to other Macs by hiding in the ROM of peripheral devices like Apple’s Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, etc. The infected peripheral device then goes on to spread the infection onward to other systems that may connect through these devices. Thunder-strike 2 can remain hidden because it doesn’t even touch your Mac’s operating system or file system.
By only living in the firmware, scanners can’t detect it, so you’ll never know whether your Mac’s infected or not. The worm can survive and propagate after wiping your entire operating system due to being housed in the firmware. LebgaCore had brought the problem to Apple’s attention so they could begin patchwork.
While the problem was being discussed, the Cupertino-based company who were impressed with the work presented to them showed interest in acquiring the firm. “As we were having discussions with Apple in the wake of our presentation this summer.” Kovah tweeted, “it became clear that Apple had some ‘very’ interesting and highly impactful work that we could participate in.”
LegbaCore is merely a security consultancy firm and doesn’t develop any specific technology it is evident that the expertise of the founders is what interests Apple. In the future they could have them placed on projects to enhance software and firmware security across a range of devices.