Story image

Apple's EFI firmware updates leave systems vulnerable

04 Oct 2017

Apple’s pre-boot EFI firmware in many of its devices is causing concern amongst security researchers at Duo, who believe vulnerabilities aren’t even able to be fixed in many Mac products.

According to Rich Smith and Pepijn Bruienne, EFI is a specific type of firmware that operates in the pre-boot environment. It has mostly replaced legacy BIOS environments.

End users will not be aware that their EFI is being updated as the updates are generally bundled with new operating systems and security updates.

If attackers are able to penetrate the EFI, they may be able to bypass all security controls, including those inbuilt to the operating system and its applications. It can also be accomplished by stealth. Removing EFI attackers can also be notoriously difficult, as “installing a new OS or even replacing the hard disk entirely is not enough to dislodge them”.

Researchers say that SonicScrewdriver is one such tool that allows attackers to take advantage of EFI boot or rootkits.

Researchers analysed all Mac updates from version 10.10.0 to 10.12.6. Their task was to create a taxonomy of updates across both the OS and security updates so they could map the OS build and Mac model to what EFI it should have.

“There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running,” researchers state.

In other words, users would update their OS, but EFI updates weren’t part of that process. There were no notifications that they are running the wrong EFI firmware, which means users and their EFI continue to be vulnerable.

Many Macs receive regular EFI updates, others are only updated after vulnerabilities are found and many are not even updated at all.

“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates. Further compounding this issue is the difficulty for end users to find out exactly which systems are receiving EFI updates (in a particular, an OS or security update) as well as which security issues a particular version of EFI may be vulnerable to,” researchers state.

They also point out that more recent security updates contain older EFI firmware than older security updates, suggesting that Apple’s quality assurance processes are not being strictly applied to its OS and security updates.

Researchers say that users should update to the latest version of EFI for their systems, and the latest version of the Mac operating systems. This may only apply to those who have machines capable of the upgrade.

“If you are running a version of macOS/OS X that is older than the latest major release (10.12 Sierra at the time of writing this blog post), then your EFI firmware may not have received the latest fixes for known EFI issues. Even though OS X 10.11 (El Capitan) and 10.10 (Yosemite) still receive security updates from Apple, the EFI firmware updates they receive appear to be lagging behind or are absent entirely.

Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version."

If you are running one of the 16 Mac models listed below, then our data indicates that your system won’t have received any EFI firmware updates at all:

If users find their machine can’t run current EFI firmware, the next biggest question is how at risk it is to vulnerabilities. For most home users, the risk is small as EFI attacks target high-value victims such as in the case of cyber espionage and nation-state attacks. However, that may well change as the threat landscape evolves.

For organisations, however, Duo suggests that they should retire machines that can’t update their EFIs, or move them to physically secure environments with controlled network access.

“While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it’s quite possible that EFI attacks fall within your threat model. In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues and you need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment,” they conclude.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.