Since the Thunderstrike bootkit attacks targeting Apple firmware were disclosed in 2015, Apple has bundled subsequent EFI updates with its regular macOS security and software updates in an attempt to improve protection around its hardware.
Researchers at Duo Security, however, have uncovered that many of those updates are incomplete, and fleets of Macs running in enterprises worldwide may be woefully out of date when it comes to firmware updates.
This is bad news for businesses and should perk up the ears of advanced attackers who have increasingly gone after hardware level access and persistence on targeted machines.
Duo director of research and development Rich Smith and R&D engineer Pepijn Bruienne are scheduled today to deliver a talk and a paper on this research at the Ekoparty conference in Argentina.
EFI, or the extensible firmware interface, operates at a lower level than the operating system and hypervisors, providing extensive privileges to users—and attackers. Attacks at this level often survive reboots and reimaging, giving APTs in particular, longstanding access to a computer.
Duo said it analyzed data such as the build version and hardware model of more than 73,000 Macs, and compared that information to the respective EFI versions that should be running. On average, Duo said, 4.2 percent of machines in production environments did not match their expected EFI versions. The numbers were much worse for particular Mac models; the iMac 21.5 inch of late 2015, for example, was at a 43 percent discrepancy. Duo also said that 16 combinations of Mac hardware and OSes had never received a firmware update during the time when OS X 10.10 and 10.12.6 was available. More details on the data are available in the research report.
Apple, meanwhile, acknowledged Duo’s findings and according to Smith and Bruienne, Apple engineers were open to their findings. Apple is working to improve the factors behind this situation; it’s still not publicly known whether this is a process or visibility problem on Apple’s end, or how the company intends to address this. It should be noted as well that this is not necessarily exclusive to Apple. Duo said in its report that the same issues are likely present on Windows/Intel systems.
“We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge,” Apple told Threatpost. “Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.”
Smith and Bruienne said that users running on newer versions of macOS are closer to being in line with proper firmware update levels than older versions of the OS. Smith speculates now that High Sierra, or 10.13, is available, that Apple would support 10.11 and newer going forward, and for version 10.10 and older, security and EFI update support would end.
“As we saw when we ripped open every security and OS update since 2015, Apple drops off which EFI firmware bundles it ships with them. The current OS always has the latest updates, minus-1 fewer and minus-2 even fewer,” Bruienne said.
Supporting this, Smith said OS version 10.12.6 shipped with 40 EFI bundles while the 10.11 security update had 31 and the security update for 10.10 which was released at the same time only had one EFI update bundle.
“There’s some math Apple is doing, or something that’s going on,” Bruienne said. “We’re unclear as to why that drops off as far as what they support. We want to say that if you’re not on the latest OS, you’re at risk.
“EFI adoption isn’t foolproof and watertight,” Bruienne said. “And because of these serious vulnerabilities, this is an issue, especially for larger organizations like Google or Facebook that might be targets for folks willing to go through the effort of an EFI attack to get persistence.”
Thunderstrike and a variant that emerged later in 2015, along with two other attacks—CVE-2015-4860 and CVE-2016-7585—pose particular concerns for organizations in the crosshairs of EFI attacks. According to Duo, 47 and 31 Mac models respectively did not receive an EFI patch for Thunderstrike 1 or 2. As for CVE-2015-4860, 25 Mac models never received the EFI patch for the flaw, while 22 were in the same shape when it came to CVE-2016-7585.
“I was certainly under the impression at the start of this work that if you were still eligible to receive software updates, that you would receive firmware updates,” Smith said. “I would be under the assumption that would bring my whole system, firmware and all, up to the latest level. From a number of different perspectives—Mac models, discrepancies between the different versions of the main OS—that’s provably not true.”