Is your Mac software secure but firmware vulnerable?

Mac users who have updated to the latest OS version or have downloaded and implemented the most recent security update may not be as secure as they originally thought, Duo Security researchers have found.

Mac software secure firmware vulnerable

That’s because many of them did not receive the newest firmware along with OS and software updates.

Why is keeping your firmware up-to-date important?

EFI firmware (Intel’s implementation of the Unified Extensible Firmware Interface – UEFI) is present on all Macs. It bridges the system’s hardware, firmware and OS together to enable it to go from power-on to booting the operating system.

Known attacks against vulnerable EFI firmware include Thunderstrike 1, Thunderstrike 2, Sonic Screwdriver, and Direct Memory Access.

“In a modern system, the EFI environment holds particular fascination for security researchers and attackers due to the level of privilege it affords if compromise is successful,” the researchers explained.

“EFI is often talked about as operating at privilege level ring -2, which indicates it is operating at a lower level than both the OS (ring 0) and hypervisors (ring -1). In a nutshell, this means that attacking at the EFI layer gives you control of a system at a level that allows you to circumvent security controls put in place at higher levels, including the security mechanisms of the OS and applications.”

What’s more, once a system has been compromised in this way, it’s difficult to clean it. Even wiping the hard disk completely wouldn’t remove this kind of compromise, they pointed out.

Research findings

The researches have spent the last few months analyzing over 73,000 Mac systems deployed in organizations across a number of industry verticals, and found that 4.2% were running versions of firmware that did not match the versions we would expect them to, which could leave them open to publicly disclosed vulnerabilities.

“The level of discrepancy increased significantly above the mean for certain Mac models, with the highest being 43.0% for the iMac 21.5” late 2015 model where 941 out of 2190 real world systems were running incorrect versions of EFI firmware,” they noted.

“The size of this discrepancy is somewhat surprising, given that the latest version of EFI firmware should be automatically installed alongside the OS updates. As such, only under extraordinary circumstances should the running EFI version not correspond to EFI version released with the running OS version.”

Apple has begun releasing EFI updates bundled with OS and security updates in 2015. The security support provided for EFI firmware depends on the hardware model of a Mac, as well as on the version of the OS a system is running. In theory, all machines should automatically be receiving the latest EFI updates, but this research has proven that the process is not foolproof.

“The sheer number of affected systems alongside the manner in which they cluster depending on OS and hardware version gives us confidence that the anomalies are not purely a result of user error on the part of system owners and it is, in fact, reflective of some kind of failure in the way EFI firmware updates are installed,” they noted. “Not every method of updating OS X/macOS is equivalent and some methods are seemingly not able to update the EFI firmware.”

Unfortunately, users and administrators are not notified if the EFI update process fails. “Compounding this issue further is that without manually carving up an OS update package and knowing the undocumented commands you have to run to update an EFI firmware image, there is no official way to update the EFI image without a full reinstall of the OS update,” they added.

What can you do?

Rich Smith, Director of R&D at Duo Security, advises Mac users and admins to check if they’re running the latest version of EFI for their system(s). They can do so by using EFIgy, a free open-source tool soon to be made available by the company.

He also advises updating to macOS 10.12.6 or later. “This will not only give you the latest versions of EFI firmware released by Apple, but also make sure you’re patched against known software security issues as well,” he pointed out.

If, for hardware reasons, you can’t do that, you may be out of luck and not be able to run the most up-to-date EFI firmware. In that case, you should consider using EFIgy to check whether your current version of EFI is exposed to a currently known EFI vulnerability (this functionality will be released soon, Smith says).

“As these attacks are ones that are used by sophisticated adversaries it is important to understand whether you or your organisation is one that includes this kind of adversary in your threat model. If you do consider advance attacks to be something you proactively protect against, then it’s well worth considering how a system with a compromised EFI could impact your environment as well as how you would be able to attest to the integrity of the EFI firmware of your Macs. In many situations, answers to those questions would be ‘badly’ and ‘we probably wouldn’t be able to,’” he noted.

“In those situations, it would be well worth considering replacing Macs that cannot have updated EFI firmware applied, or moving them into roles where they are not exposed to EFI attacks (physically secure, controlled network access). While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it’s quite possible that EFI attacks fall within your threat model. In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues. You’ll need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment. In general we would not advocate for the average user to throw away their Mac because their EFI environment is not being security supported by Apple.”

The whitepaper detailing the research also includes a granular breakdown of the Mac systems running unexpected firmware versions, as well as list of models that had no EFI updates between OS versions 10.10.0 to 10.12.6.

What is Apple doing about this?

The researchers shared their findings with Apple, gave them previews of the paper and made the raw data available to them.

“Interactions with Apple have been very positive and they seemed to genuinely appreciate the work and agreed with our methodologies, findings and conclusions,” Smith told Help Net Security.

“Despite the issues we found, we truly believe that Apple is leading the way in terms of taking EFI security seriously. They have continued to take steps forward with the release of macOS 10.13 (High Sierra). They have a world class firmware security team and we are excited to see the new security approaches they will take in future to keep the EFI environment even more secure.”