SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Apple's EFI firmware updates leave systems vulnerable
Wed, 4th Oct 2017
FYI, this story is more than a year old

Apple's pre-boot EFI firmware in many of its devices is causing concern amongst security researchers at Duo, who believe vulnerabilities aren't even able to be fixed in many Mac products.

According to Rich Smith and Pepijn Bruienne, EFI is a specific type of firmware that operates in the pre-boot environment. It has mostly replaced legacy BIOS environments.

End users will not be aware that their EFI is being updated as the updates are generally bundled with new operating systems and security updates.

If attackers are able to penetrate the EFI, they may be able to bypass all security controls, including those inbuilt to the operating system and its applications. It can also be accomplished by stealth. Removing EFI attackers can also be notoriously difficult, as “installing a new OS or even replacing the hard disk entirely is not enough to dislodge them”.

Researchers say that SonicScrewdriver is one such tool that allows attackers to take advantage of EFI boot or rootkits.

Researchers analysed all Mac updates from version 10.10.0 to 10.12.6. Their task was to create a taxonomy of updates across both the OS and security updates so they could map the OS build and Mac model to what EFI it should have.

“There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running,” researchers state.

In other words, users would update their OS, but EFI updates weren't part of that process. There were no notifications that they are running the wrong EFI firmware, which means users and their EFI continue to be vulnerable.

Many Macs receive regular EFI updates, others are only updated after vulnerabilities are found and many are not even updated at all.

“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates. Further compounding this issue is the difficulty for end users to find out exactly which systems are receiving EFI updates (in a particular, an OS or security update) as well as which security issues a particular version of EFI may be vulnerable to,” researchers state.

They also point out that more recent security updates contain older EFI firmware than older security updates, suggesting that Apple's quality assurance processes are not being strictly applied to its OS and security updates.

Researchers say that users should update to the latest version of EFI for their systems, and the latest version of the Mac operating systems. This may only apply to those who have machines capable of the upgrade.

“If you are running a version of macOS/OS X that is older than the latest major release (10.12 Sierra at the time of writing this blog post), then your EFI firmware may not have received the latest fixes for known EFI issues. Even though OS X 10.11 (El Capitan) and 10.10 (Yosemite) still receive security updates from Apple, the EFI firmware updates they receive appear to be lagging behind or are absent entirely.

Even if you're running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you're running might not be the most up-to-date version."

If you are running one of the 16 Mac models listed below, then our data indicates that your system won't have received any EFI firmware updates at all:

If users find their machine can't run current EFI firmware, the next biggest question is how at risk it is to vulnerabilities. For most home users, the risk is small as EFI attacks target high-value victims such as in the case of cyber espionage and nation-state attacks. However, that may well change as the threat landscape evolves.

For organisations, however, Duo suggests that they should retire machines that can't update their EFIs, or move them to physically secure environments with controlled network access.

“While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it's quite possible that EFI attacks fall within your threat model. In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues and you need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment,” they conclude.