Duo Security spots Mac EFI issues

Security vendor Duo Security has warned that Apple Mac users are at risk of targeted and stealthy attacks. What will concern Apple customers is that the risk is not from third-party applications. It is caused by what Duo Security is calling a: “systemic issue that leaves Apple Mac computers susceptible to exceptionally targeted and stealthy attacks.”

Rich Smith, Duo Director of Research and Development
Rich Smith, Duo Director of Research and Development

This is also not a problem that only affects users with outdated Mac software. It also affects users with the latest version of the MacOS software. The news breaks just a day after Apple was forced to issue a patch for its recent iOS 11 release. That patch also contained fixes for other vulnerabilities in iOS and rated a mention on the US Cert website.

Rich Smith, Duo Director of Research and Development said: Firmware is an often overlooked yet vital component of a systems security structure. The sophisticated and targeted nature of firmware attacks should be of particular concern to those who have higher security clearance or access to sensitive information at their respective organizations.

“The worst possible state for users is to be under the assumption that they are secure after updating their system, when in fact, their actual security posture is very different than what they believe it to be.

What is the problem with EFI and Apple Mac computers?

After analysing 73,000 different Mac systems, Duo Security discovered a major flaw in Apple’s patch process. While computers were downloading patches issued by Apple, they were not all being applied. Further investigation showed that this was not a user problem or something being blocked by malware. Instead the issue was caused by Apple.

In 2015 Apple began bundling software and firmware updates. It was a sensible move as it ensured that devices got all the available updates. Duo Security claims it has now looked at all Apple EFI updates over the last three years. It discovered five major issues:

  • Users running a version of macOS/OS X that is older than the latest major release (High Sierra) likely have EFI firmware that has not received the latest fixes for known EFI issues. This means these systems can be software secure but firmware vulnerable.
  • On average, 4.2% of real-world Macs used in the production environments analyzed are running an EFI firmware version thats different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.
  • At least 16 models of Mac computers have never received any EFI firmware updates. The 21.5 iMac, released in late 2015, has the highest occurrence of incorrect EFI firmware with 43% of sampled systems running incorrect versions.
  • 47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike 1, while 31 models capable of the same did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.
  • Two recent security updates issued by Apple (Security Update 2017-001 for 10.10 and 10.11) contained the wrong firmware with the update. This would indicate regression or a lag in quality assurance.

What is EFI?

EFI or Extensible Firmware Interface is a standard introduced by Intel to control what happens when a computer boots. It was introduced to improve and extend the Basic Input Output System (BIOS) on a computer. One of its goals was to improve security by preventing hardware drivers from being overwritten with infected versions. Hardware drivers are highly privileged pieces of code. If they can be taken over by hackers they often have complete control of the computer.

Duo Security has released a white paper giving much more detail about this issue. It can be downloaded from their website (no registration required). It also says that companies using Mac computers should compare the Mac systems they have against the list of models outlined in the whitepaper. This will provide an indicator of their risk and exposure to attack.

The list of models Duo Security says are affected includes:

Mac Model Version Number
iMac iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBook MacBook5,1; MacBook5,2
MacBook Air MacBookAir2,1
MacBook Pro MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
MacPro MacPro3,1; MacPro4,1; MacPro5,1

What does this mean

There has been a long debate about whether Apple devices are inherently more secure than those running Windows or Android. While there are fewer attacks against them, they are not unknown. Apple has managed to capture a user base that is seen as more wealthy than that of other vendors. It is also seen as the technology a lot of business leaders want to use. This has led to an increase in attacks against its devices and software.

While Apple has done a better job of securing its mobile devices than other vendors it is not immune to attack. Malware has been found in the Apple store having made its way through the Apple security checks. Its own software engineers are also just as likely to make mistakes as those from other companies. Some of those will end up in production code leading to vulnerabilities and risk.

This research from Duo Security is a wake-up call for Apple and its user base. The researchers praise Apple for dealing with firmware issues. However, the failings they have identified mean Apple needs to review and tighten its patching processes.


Please enter your comment!
Please enter your name here