Story image

Apple's EFI firmware updates leave systems vulnerable

04 Oct 17

Apple’s pre-boot EFI firmware in many of its devices is causing concern amongst security researchers at Duo, who believe vulnerabilities aren’t even able to be fixed in many Mac products.

According to Rich Smith and Pepijn Bruienne, EFI is a specific type of firmware that operates in the pre-boot environment. It has mostly replaced legacy BIOS environments.

End users will not be aware that their EFI is being updated as the updates are generally bundled with new operating systems and security updates.

If attackers are able to penetrate the EFI, they may be able to bypass all security controls, including those inbuilt to the operating system and its applications. It can also be accomplished by stealth. Removing EFI attackers can also be notoriously difficult, as “installing a new OS or even replacing the hard disk entirely is not enough to dislodge them”.

Researchers say that SonicScrewdriver is one such tool that allows attackers to take advantage of EFI boot or rootkits.

Researchers analysed all Mac updates from version 10.10.0 to 10.12.6. Their task was to create a taxonomy of updates across both the OS and security updates so they could map the OS build and Mac model to what EFI it should have.

“There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running,” researchers state.

In other words, users would update their OS, but EFI updates weren’t part of that process. There were no notifications that they are running the wrong EFI firmware, which means users and their EFI continue to be vulnerable.

Many Macs receive regular EFI updates, others are only updated after vulnerabilities are found and many are not even updated at all.

“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates. Further compounding this issue is the difficulty for end users to find out exactly which systems are receiving EFI updates (in a particular, an OS or security update) as well as which security issues a particular version of EFI may be vulnerable to,” researchers state.

They also point out that more recent security updates contain older EFI firmware than older security updates, suggesting that Apple’s quality assurance processes are not being strictly applied to its OS and security updates.

Researchers say that users should update to the latest version of EFI for their systems, and the latest version of the Mac operating systems. This may only apply to those who have machines capable of the upgrade.

“If you are running a version of macOS/OS X that is older than the latest major release (10.12 Sierra at the time of writing this blog post), then your EFI firmware may not have received the latest fixes for known EFI issues. Even though OS X 10.11 (El Capitan) and 10.10 (Yosemite) still receive security updates from Apple, the EFI firmware updates they receive appear to be lagging behind or are absent entirely.

Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version."

If you are running one of the 16 Mac models listed below, then our data indicates that your system won’t have received any EFI firmware updates at all:

If users find their machine can’t run current EFI firmware, the next biggest question is how at risk it is to vulnerabilities. For most home users, the risk is small as EFI attacks target high-value victims such as in the case of cyber espionage and nation-state attacks. However, that may well change as the threat landscape evolves.

For organisations, however, Duo suggests that they should retire machines that can’t update their EFIs, or move them to physically secure environments with controlled network access.

“While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it’s quite possible that EFI attacks fall within your threat model. In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues and you need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment,” they conclude.

What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.