Posted on September 30, 2017 at 1:56 PM
Certain failed pre-boot Extensible Firmware Interface (EFI) updates in the Apple Mac, could leave many devices vulnerable to attack.
Researchers from Duo Labs recently confirmed that a flaw in Apple Mac security updates could leave users vulnerable to cyber attacks, even if the user updated their device regularly.
Duo Lab researchers examined 73 000 different Mac systems and concluded that the Extensible Firmware Interface (EFI) in several popular Mac devices were vulnerable to sophisticated attacks and malicious firmware vulnerabilities. According to researchers, there was a high discrepancy between the EFI versions that were supposedly installed and the researchers expected to find running on Mac systems, and the EFI versions that were actually running.
The researchers from Duo Labs stated that this creates a situation where device admins and users correctly install the latest OS or security update, but for an unknown reason, the EFI is not updated. To make matters worse, device users and admins are not receiving notifications to inform them that the device is currently running an old or unexpected version of EFI firmware. This aspect means that often users will run an unexpected version of EFI, without their knowledge, which leaves their device vulnerable.
The security support provided for EFI firmware is dependent on the hardware model of the Mac. Certain Macs did receive regular expected EFI updates, while some were only updated after specific vulnerabilities were discovered. Some Macs have never had a single EFI update.
A Mac device’s EFI firmware is necessary for booting and controlling all functions of the hardware devices and systems. This helps the machine to go from powering up to booting an operating system successfully.
A firmware attack requires a high level of skills and sophistication, but it is not impossible. If a hacker does manage to attack the EFI firmware, it will give them a high level of access on the infected device. What makes an attack of this kind even more dangerous is that a compromised EFI firmware is difficult to detect by the average user. An attack of this kind is even more difficult to fix. Even wiping the entire hard disk will be insufficient to rectify this attack.
The different update systems create even more confusion, as some systems will be fully patched and up to date in terms of its software, but not in terms of its EFI firmware. This means that the software would be secure, but the firmware would remain vulnerable.
The EFI vulnerabilities have been acknowledged by Apple and addressed in the form of patches. However, despite the patches, there are still certain models of Macs running certain versions of OS that still received no EFI updates and only received software updates.
EFI attacks are attractive from a hacker’s point of view. According to Pepijn Bruienne, a research and development engineer at Duo Security, an EFI attack provides high-level access. In addition, they are also persistent and more often than not, escape the attention of the user.
The sophistication involved would make this a hacking resource for a serious hacker. Attacks of this kind are not mere casual hacks, but more in line with industrial espionage or nation-state type attacks.
An attack which targets unpatched EFI firmware is likely to target individuals who handle sensitive information on a daily basis or individuals who have a high-level security clearance within their company. An attack of this kind will leave Mac systems vulnerable to attacks such as Thunderstrike, a vulnerability that enables malware to be injected into unprotected Mach via the Thunderbolt port.
Since Apple released security patches more than two years ago, it is understandable that most users considered themselves protected against attacks.
Researchers recommended that all users should update their Mac OS to the latest version of OS 10.12.6. This version provides patches for both firmware and software.