Story image

Apple's EFI firmware updates leave systems vulnerable

04 Oct 2017

Apple’s pre-boot EFI firmware in many of its devices is causing concern amongst security researchers at Duo, who believe vulnerabilities aren’t even able to be fixed in many Mac products.

According to Rich Smith and Pepijn Bruienne, EFI is a specific type of firmware that operates in the pre-boot environment. It has mostly replaced legacy BIOS environments.

End users will not be aware that their EFI is being updated as the updates are generally bundled with new operating systems and security updates.

If attackers are able to penetrate the EFI, they may be able to bypass all security controls, including those inbuilt to the operating system and its applications. It can also be accomplished by stealth. Removing EFI attackers can also be notoriously difficult, as “installing a new OS or even replacing the hard disk entirely is not enough to dislodge them”.

Researchers say that SonicScrewdriver is one such tool that allows attackers to take advantage of EFI boot or rootkits.

Researchers analysed all Mac updates from version 10.10.0 to 10.12.6. Their task was to create a taxonomy of updates across both the OS and security updates so they could map the OS build and Mac model to what EFI it should have.

“There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running,” researchers state.

In other words, users would update their OS, but EFI updates weren’t part of that process. There were no notifications that they are running the wrong EFI firmware, which means users and their EFI continue to be vulnerable.

Many Macs receive regular EFI updates, others are only updated after vulnerabilities are found and many are not even updated at all.

“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates. Further compounding this issue is the difficulty for end users to find out exactly which systems are receiving EFI updates (in a particular, an OS or security update) as well as which security issues a particular version of EFI may be vulnerable to,” researchers state.

They also point out that more recent security updates contain older EFI firmware than older security updates, suggesting that Apple’s quality assurance processes are not being strictly applied to its OS and security updates.

Researchers say that users should update to the latest version of EFI for their systems, and the latest version of the Mac operating systems. This may only apply to those who have machines capable of the upgrade.

“If you are running a version of macOS/OS X that is older than the latest major release (10.12 Sierra at the time of writing this blog post), then your EFI firmware may not have received the latest fixes for known EFI issues. Even though OS X 10.11 (El Capitan) and 10.10 (Yosemite) still receive security updates from Apple, the EFI firmware updates they receive appear to be lagging behind or are absent entirely.

Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version."

If you are running one of the 16 Mac models listed below, then our data indicates that your system won’t have received any EFI firmware updates at all:

If users find their machine can’t run current EFI firmware, the next biggest question is how at risk it is to vulnerabilities. For most home users, the risk is small as EFI attacks target high-value victims such as in the case of cyber espionage and nation-state attacks. However, that may well change as the threat landscape evolves.

For organisations, however, Duo suggests that they should retire machines that can’t update their EFIs, or move them to physically secure environments with controlled network access.

“While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it’s quite possible that EFI attacks fall within your threat model. In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues and you need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment,” they conclude.

Partnership brings AI maths tutor to NZ schools
“AMY can understand why students make a mistake, and then teach them what they need straight away so they don't get stuck."
Polycom & Plantronics rebrand to Poly, a new UC powerhouse
The name change comes after last year’s Plantronics acquisition of Polycom, a deal that was worth US $2 billion.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
VoiP new-comer upgraded and ready to take on NZ
UFONE is an Auckland-based VoIP provider that has just completed a massive upgrade of its back-end and is ready to take on the market.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Apple launches revamped iPad Air & iPad mini
Apple loves tinkering with its existing product lines and coming up with new ways to make things more powerful – and both the iPad Air and iPad mini seem to be no exception.
IntegrationWorks continues expansion with new Brisbane office
The company’s new office space at the Riverside Centre overlooks the Brisbane River and Storey Bridge.