A new study postulates that Apple's lack of transparency about firmware updates could be lulling users and system administrators into a false sense of security — but the situation on Windows computers is far worse, and an attack focusing on EFI modification needs to be highly focused and specifically targeted.
Duo Security performed an analysis of 73,000 "real-world" Mac systems spanning assorted businesses — and no home users — to gather the data about firmware, and EFI revisions. In general, the company found that the newer the operating system, the more up-to-date the hardware firmware was — with some notable exceptions.
EFI stands for Extensible Firmware Interface. On the Mac, the EFI controls the boot process — and any very specifically designed malware lodged in there is not easily removable. The "Vault 9" documents leaks from the CIA and NSA showed interest in compromising the Mac's EFI, and the "Thunderstrike" vectors utilize the space for a persistent infection of an attacked device.
The company found a "surprisingly high level of discrepancy" between EFI versions that they expected to find on the surveyed Macs, and the versions actually running. Out of 73,324 Macs examined, 4.2 percent were running firmware that did not match the expected versions. The late 2015 21.5-inch iMac was an outlier, with 941 out of 2190 systems on the wrong version.
Users running macOS 10.12 Sierra had an average rate of deviance at 10 percent. El Capitan and Yosemite users saw 3.4 percent, and 2.1 percent, respectively.
Why the afflicted machines were not running the most recent firmware update is not clear, with Duo saying that the discovery raises questions about quality assurance, and transparency, of firmware component installation.
One possibility is software update being performed over Target Disk Mode — which would update the Mac's system software, but not the firmware. Another is utilizing drive cloning software to update a machine, with the computer booting from an external volume and restoring a cloned volume to perform the update.
Some older Macs have not received EFI updates at all — specifically the 2009 and earlier iMac, MacBook, MacBook Air, and MacBook Pro. All of the tower Mac Pro models are also un-patched.
Both the CIA's "Sonic Screwdriver" and the "Thunderstrike" attacks require physical access to the device at some point. In a home environment, this is less likely than in a corporate one.
For its part, Apple seems unconcerned about the findings, and has implemented firmware and EFI checks in High Sierra.
"We appreciate Duo's work on this industry-wide issue and noting Apple's leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we're always exploring ways to make our systems even more secure," Apple said in a statement to Ars Technica, who spotted the study on Friday. "In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."
After discovery of the "Thunderstrike" attack vector using the Thunderbolt bus to over-write EFI in 2015, Apple started bundling firmware updates within macOS. This, and some hardware revisions, eliminated the need for users to perform a special boot process to update firmware.
Not a dire situation, nor specific to Apple
The Mac was used as a platform because of Apple's control of the entire stack, encompassing all hardware, software, and firmware. It notes that the situation is likely worse on the Windows side, with the wide variety of vendors and firmware able to be assaulted — and no guarantees of any patches, nor any easy, uniform, way to do so by users.
Most Mac users have a low risk profile, or are unlikely to be targeted by such a specific attack.
"Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high value targets in their sights," wrote Duo. "Such adversaries are often spoken about in the same breath as nation state attacks and industrial espionage."
Duo notes that continuing to use a current system will "not result in a severe increase in risk due to the very nature of EFI attacks themselves."
Duo suggests that Mac system administrators use the Apple-provided combo OS update, instead of delta updates — and to not use restore images to update machines even though it may be quicker. Additionally, as a general rule of thumb, Duo suggests that users stay up-to-date with OS revisions.
8 Comments
Headline: Mac users are DOOMED!
Last paragraphs: Not really, don’t worry about it, you’re okay.
Which part of the article will be the most disseminated, most talked about, most argued, most used as a sledgehammer against the company? Do I even have to ask?
I kept reading (most of it) but after seeing only business systems were checked, I didn't pay too much attention. As the article mentions, systems that use Target Disk mode (or any other type of imaging system that simply copies data only the disk instead of having Apple's update servers check for firmware updates) are at risk. I don't remember if the desktop support staff that handled out OSX images included any way to update the firmware or not.
I searched Apple's website and only found this article, which has been archived: https://support.apple.com/en-us/HT201518 Latest device mentioned is a mid 2014 Mac. I also read High Sierra automatically checks EFI firmware weekly. I don't know if Sierra does this.
The moral of this story is business systems that don't allow access to Apple's servers will not have this automatic monitoring and will, therefore, be vulnerable to EFI attacks. I just hope the MDM software will have the ability to do some of this monitoring or our government and enterprise Mac systems will be open targets for the NSA and others.