Security study finds old or improperly updated Macs in limited danger from EFI attack vectors

Duo Security performed an analysis of 73,000 "real-world" Mac systems spanning assorted businesses — and no home users — to gather the data about firmware, and EFI revisions. In general, the company found that the newer the operating system, the more up-to-date the hardware firmware was — with some notable exceptions.

EFI stands for Extensible Firmware Interface. On the Mac, the EFI controls the boot process — and any very specifically designed malware lodged in there is not easily removable. The "Vault 9" documents leaks from the CIA and NSA showed interest in compromising the Mac's EFI, and the "Thunderstrike" vectors utilize the space for a persistent infection of an attacked device.

The company found a "surprisingly high level of discrepancy" between EFI versions that they expected to find on the surveyed Macs, and the versions actually running. Out of 73,324 Macs examined, 4.2 percent were running firmware that did not match the expected versions. The late 2015 21.5-inch iMac was an outlier, with 941 out of 2190 systems on the wrong version.

Users running macOS 10.12 Sierra had an average rate of deviance at 10 percent. El Capitan and Yosemite users saw 3.4 percent, and 2.1 percent, respectively.

Why the afflicted machines were not running the most recent firmware update is not clear, with Duo saying that the discovery raises questions about quality assurance, and transparency, of firmware component installation.

One possibility is software update being performed over Target Disk Mode — which would update the Mac's system software, but not the firmware. Another is utilizing drive cloning software to update a machine, with the computer booting from an external volume and restoring a cloned volume to perform the update.

Some older Macs have not received EFI updates at all — specifically the 2009 and earlier iMac, MacBook, MacBook Air, and MacBook Pro. All of the tower Mac Pro models are also un-patched.

Both the CIA's "Sonic Screwdriver" and the "Thunderstrike" attacks require physical access to the device at some point. In a home environment, this is less likely than in a corporate one.

For its part, Apple seems unconcerned about the findings, and has implemented firmware and EFI checks in High Sierra.

"We appreciate Duo's work on this industry-wide issue and noting Apple's leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we're always exploring ways to make our systems even more secure," Apple said in a statement to Ars Technica, who spotted the study on Friday. "In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."

After discovery of the "Thunderstrike" attack vector using the Thunderbolt bus to over-write EFI in 2015, Apple started bundling firmware updates within macOS. This, and some hardware revisions, eliminated the need for users to perform a special boot process to update firmware.

Not a dire situation, nor specific to Apple

The Mac was used as a platform because of Apple's control of the entire stack, encompassing all hardware, software, and firmware. It notes that the situation is likely worse on the Windows side, with the wide variety of vendors and firmware able to be assaulted — and no guarantees of any patches, nor any easy, uniform, way to do so by users.

Most Mac users have a low risk profile, or are unlikely to be targeted by such a specific attack.

"Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high value targets in their sights," wrote Duo. "Such adversaries are often spoken about in the same breath as nation state attacks and industrial espionage."

Duo notes that continuing to use a current system will "not result in a severe increase in risk due to the very nature of EFI attacks themselves."

Duo suggests that Mac system administrators use the Apple-provided combo OS update, instead of delta updates — and to not use restore images to update machines even though it may be quicker. Additionally, as a general rule of thumb, Duo suggests that users stay up-to-date with OS revisions.