Researchers have found the pre-boot Extensible Firmware Interface (EFI) in many popular Macs is not always receiving security updates as expected.
Some Apple Macbook models have been found to potentially contain a firmware vulnerability.
Image: Sarah Tew/CNET
A flaw in the way Apple Mac firmware is updated could leave users unprotected from targeted cyber-attacks - even though they believe the correct updates have been applied.
Researchers at Duo Labs analyzed over 73,000 Mac systems and found that the Extensible Firmware Interface [EFI] in many popular Mac models are vulnerable to sophisticated attacks and malicious firmware vulnerabilities, such as those exposed in the recent WikiLeaks Vault 7 data dumps.
The researchers said there was a surprisingly high level of discrepancy between the EFI versions they expected to find running on the real-world Mac systems and the EFI versions they actually found running.
"This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. This means that users and admins are often blind to the fact that their system's EFI may continue to be vulnerable."
The researchers said the security support provided for EFI firmware depends on the hardware model of Mac. "Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI."
The EFI firmware of a computer is responsible for booting and controlling the functions of hardware devices and systems, helping the machine get from powering up to booting the operating system.
While difficult to carry out, a successful attack on EFI firmware gives hackers a high level of privilege on the infected system. Such a compromise is difficult to detect and even harder to fix, because even completely wiping the hard disk can't wipe this type of infection.
The researchers said the security support provided for EFI firmware also depends on the version of the OS a system is running: for example a Mac model running OS X 10.11 can receive distinctly different updates to its EFI than the same Mac model running macOS 10.12.
"This creates the confusing situation where a system is fully patched and up to date with respect to its software, but is not fully patched with respect to its EFI firmware - we called this software secure but firmware vulnerable." they said.
They said that for the main EFI vulnerabilities already acknowledged by Apple and patched, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates.
"From an attackers perspective, EFI attacks are particularly attractive because they provide low-level access. They also provide a lot of persistence and are very stealthy," Pepijn Bruienne, research and development engineer at Duo Security told ZDNet.
"These characteristics put it into the category of being in the tool-kit of a well-resourced adversary, think of industrial espionage, nation state type attacks rather than indiscriminate drive-bys," he adds.
Such an attack against unpatched firmware - which researchers say would most likely be carried out against targeted users handling sensitive information or with high level clearance - could leave systems vulnerable to the likes of Thunderstrike - a vulnerability that allows malware to be injected into Macs via the Thunderbolt port.
One researcher recently demonstrated how such a vulnerability can be used to compromise a machine and access stored on it.
Given patches were released to fix this over two years ago, users would naturally expect to be protected against such an attack.
However, researchers say that an average of just over four percent of Macs analysed in production environments were found to be running a version of EFI firmware different on what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version. Analysis of one particular version of iMac suggests 43 percent weren't running secure firmware.
It's recommended that, if possible, users should update to the latest version of OS 10.12.6 which will provide the latest versions of EFI firmware released by Apple and patch them against known security issues. Duo Security has also released some tools to help users check the status of their EFI firmware.
While the flaws only affect a comparatively small number of users, they still represent a security issue. However, Duo Security has commended Apple's willingness to work with them in fixing the vulnerabilities.
"The flaws we found here are definitely a concern and it's good that we've been able to publicly point it out to them. The response has been great, they've taken everything to heart," said Bruienne.
"Of all if the vendors out there that are EFI users for their hardware, they're definitely the most advanced at getting EFIs under control and making sure that end-users are somewhat certain that they get these updates".
Duo Security hope that the 'The Apple of Your EFI: Findings From an Empirical Study of EFI Security' will encourage all vendors to improve EFI security, given how it's almost impossible to discover is such systems have been hacked in the case of a successful attack.
"As the pre-boot environment becomes increasingly like a full operating system in and of its own, it must also be treated like a full OS in terms of the security support and attention applied to it," said Bruienne.
Responding to the research, Apple said it appreciated the research into the "industry-wide" issue.
"Apple continues to work diligently in the area of firmware security and we're always exploring ways to make our systems even more secure," an Apple spokesperson told ZDNet.
"In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."