Thousands of Apple Macs vulnerable to un-patched firmware, regardless of operating system patching levels. The security firm Duo Labs recently set out to study the security of Mac firmware, more specifically the EFI (Extensible Firmware Interface) in Macs for the past three years. Think of EFI as the modern BIOS (Basic Input / Output System) manages the boot process of a computer system as well as communications between the operating system and other devices such as video, keyboard, printers, and mice.
Firmware vulnerabilities and attacks are of a particular concern because successful attacks provide attackers an extraordinary level of privilege because the firmware runs below the operating system and even hypervisors. This makes it easier for attackers to bypass security countermeasures. Essentially you want to keep the firmware up to date and secure and avoid it being compromised.
As Rich Smith and Pepijn Bruienne wrote in their blog post, in addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove - installing a new OS or even replacing the hard disk entirely is not enough to dislodge them,” they wrote.
Which is why Duo Labs’ research is concerning. Their research focused on how Apple manages the EFI firmware security for its Mac hardware. Duo Labs analyzed all Mac updates for the previous three years (versions 10.10.0 - 10.12.6), and they gathered the system metadata on 73,000 Macs running in-the-wild. “Once we had these two datasets, we analyzed them both independently and comparatively to explore the questions we had about the level of security support being afforded to a Mac’s EFI environment,” the team wrote.
What Duo Security found is that there are systems running in the wild where one would expect the EFI to have been updated, but aren’t, as well as the EFI security mac hardware varies. “There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running. This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. This means that users and admins are often blind to the fact that their system’s EFI may continue to be vulnerable,” the team wrote.
This isn’t good, and even knowledgeable users may assume that Apple would notify them when a firmware update is needed. But not only this, the amount of firmware support varies greatly from Apple Mac to Apple Mac. “The security support provided for EFI firmware depends on the hardware model of Mac. Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI,” they wrote.
Furthermore, the operating system a Mac is running would impact the firmware update. “The security support provided for EFI firmware also depends on the version of the OS a system is running. A Mac model running OS X 10.11 can receive distinctly different updates to its EFI than the same Mac model running MacOS 10.12. This creates the confusing situation where a system is fully patched and up to date with respect to its software, but is not fully patched with respect to its EFI firmware - we called this software secure but firmware vulnerable,” the wrote.
What does this mean for Apple Mac users? Duo Labs provided the following recommendations, and released some tools to help:
- Check if you’re running the latest version of EFI for your system. As part of their research, Duo provided some new tools to help. You can find more about them and how to use them here.
- If possible, update to the latest version of the OS 10.12.6. This will not only give you the latest versions of EFI firmware released by Apple, but also make sure you’re patched against known software security issues as well.
- If you’re not able to update to version 10.12.6 either because your hardware is not able to run it, or because you need to run an older version for software compatibility reasons, you may be out of luck and not be able to run the most up-to-date EFI firmware
- Check if you’re running a Mac that is on the list of hardware that hasn’t received an EFI update. If it is, you may be out of luck and not able to run up-to-date EFI firmware
- If you’re not able to run up-to-date EFI firmware for one reason or another, use Duo recommends to you us their tool, EFIgy, to inform yourself whether your current version of EFI is exposed to a known EFI vulnerability.