- Security vulnerabilities are just as much of a fact of life in firmware as they are in software
- Patching firmware vulnerabilities is often less visible than patching software vulnerabilities and may not be something that is monitored in config management systems to the same extent software patching is
- In the case of Apple hardware, the combination of the model of Apple hardware you run and the version of the OS you run will determine whether firmware vulnerabilities are patched or not
- Only Apple devices capable of running the macOS 10.12.x branch of the OS have received firmware patches for all of the current publicly known firmware vulnerabilities, this is true even if you are running the latest security patches Apple released for OS X 10.11.x and 10.10.x
- Understanding your Apple fleets’ software and hardware versions is required if you want to be able to quantify your exposure to firmware vulnerabilities
Recent events surrounding Apple and widely-reported vulnerabilities of its Macintosh products are once more emphasizing the importance of applying macOS security updates as quickly as possible. This is because security updates not only contain patches for the macOS software itself, but they also deliver very important updates to the device’s firmware, commonly referred to as EFI or the Boot ROM.
A Mac’s EFI contains low-level functionality that handles early boot functionality immediately following power-up. It helps to connect external peripherals like a network device or a display and ultimately selects a valid macOS boot device before handing off control to the OS itself. This firmware lives in its own writable ROM environment and can be updated with changes and fixes just like macOS.
And just like any other software, EFI is susceptible to bugs that can be exploited by attackers to gain low-level control of a target Mac. The methods by which EFI vulnerability exploitation is achieved are a little different than exploiting macOS vulnerabilities, but the results can have a bigger impact due to the privileged position the EFI firmware has in the boot chain.
As security fixes for Apple’s firmware are often far less visible to end users and administrators than software-based security fixes they can often go unnoticed, this raised some questions for us as to what the actual attack surface of the Apple ecosystem was in terms of firmware vulnerabilities. This blog post covers some of the background of Apple firmware vulnerabilities and our initial findings from looking into how Apple supplies firmware updates to devices in the field across a range of OS versions.
A Short History of Leaked Apple Vulnerabilities
So why is any of this important? On March 23rd 2017, Wikileaks released additional documents from its Vault 7 collection of CIA content that focused on Apple iOS and macOS devices. While a very interesting event in and of itself, many security experts agreed that since the leaked information was a number of years old, it offered no new vulnerabilities or exploitation concepts against the Apple ecosystem.
One of the most talked about aspects of the leak was the set of capabilities codenamed Sonic Screwdriver, a toolkit that enabled the introduction of modified EFI firmware to a targeted Mac. To be able to place a modified EFI firmware on a target Mac, the agency allegedly used a modified Apple Thunderbolt Ethernet adapter connected to the target system while it performed a boot, which allowed the exploitation of a vulnerability in Apple’s firmware to load a modified version that could include keyloggers, data exfiltration tools and so on.
Of particular note is the timeline the leaked documents establish with regards to other research taking place and being discussed in the security community. Only months after the concept of exploiting the fact that a Mac will blindly load option ROMs (embedded device drivers) from attached Thunderbolt devices at boot was first presented in theory at BlackHat USA in January 2012 by security researcher Loukas K aka Snare, the agency had developed and documented a complete solution that outlines loading modified EFI firmware onto a target Mac. Apple would go on to hire security researcher Snare to become part of its firmware security team in 2016.
The first time a complete chain of exploitation was shown in public was some years later when Trammell Hudson of Two Sigma presented it at the 31st Chaos Computer Club conference hosted in Germany in 2014. At the time, Trammell named the exploit “Thunderstrike” which loads a malicious payload using similar hardware and methods as those described in the CIA documents. This is not to say that any of these events were connected, but it does show that the general concept of gaining low-level system presence with long-term persistence was known for a number of years and only addressed by Apple after the public disclosure by Trammell in 2014, with the release of OS X 10.10.2 on January 27, 2015. Details of a second more powerful version of Thunderstrike named Thunderstrike 2 were published in August 2015 when Trammell Hudson and Xeno Kovah of of LegbaCore presented it at the Black Hat security conference in Las Vegas. This vulnerability was patched by Apple in OS X 10.10.4.
What’s the Vulnerability of the Apple Ecosystem’s Firmware?
What does this actually mean to those of us who use Apple systems everyday? Apple gave an official statement to TechCrunch soon after the Wikileaks disclosure stating: “[...] our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.” While this is good news for the many users who purchased Macs on or after late 2013 and who are running up to date versions of macOS, it still leaves a sizeable portion of users in a potentially vulnerable state. The next question is obviously, how do you know if you are vulnerable? To answer this we need to look at the Apple Mac ecosystem from the perspective of both hardware and software.
From a hardware perspective, if you own a Mac older than the following models, and you are running an OS X version older than 10.10 Yosemite, then you definitely did not receive the firmware update that prevents either the Sonic Screwdriver or Thunderstrike attacks:
- MacBook Pro Retina (Mid 2012),
- MacBook Air (Mid 2013 and later),
- iMac (Late 2013 and later),
- Mac Pro (Late 2013),
- Mac mini (Late 2014)
From a purely software perspective, since Apple has never released firmware updates for OS X versions prior to OS X 10.10, this means that if you are running OS X 10.9 or earlier Mac hardware of any age then it is also vulnerable (and will likely never be patched).
In order to gather a quantitative view into how large of a population is still vulnerable to these attacks, we conducted some analysis of Duo’s endpoint authentication logs and found that as of late February 2017, around 10% of unique endpoint check-ins reported OS X versions of 10.9 or older.
These endpoints are all vulnerable to Sonic Screwdriver, Thunderstrike variants and any other undisclosed tools using the same approaches possibly in use by either private or state actors.
Apple Releases Batch of Firmware Security Fixes
Soon after the leak of the CIA documents, Apple released macOS 10.12.4 which as usual contains an extensive list of security fixes, part of which was an updated collection of EFI firmware updates for the largest set of Mac models to date. Noteworthy were EFI firmware updates for Mac models that had not received any updates since 2012 or earlier due to updated Internet Recovery options that are part of the firmware:
- MacBook Air (11-inch, Late 2010)
- MacBook Pro (13-inch, Mid 2010)
- Mac mini (Mid-2010).
Beyond the much discussed new Night Shift feature added in 10.12.4, specific highlights of the EFI firmware updates released by Apple in the 10.12.4 update are:
- A patch for Ulf Frisk’s Thunderbolt-based DMA attack
- A change in the way macOS Internet Recovery selects a compatible OS version
The first issue allowed an attacker with specialized Thunderbolt-based equipment to retrieve Filevault 2 FDE keys from memory, which could then be used to unlock the target Mac after a reboot and, if automatic login was enabled, to log into the user’s account. It is unclear at this time whether the aforementioned older models that are now included in the EFI updates also received this security update, even though some of them have expansion ports that could technically be vulnerable, such as the MacBook Pro (13-inch, Mid 2010).
The second important change to the firmware that many Mac system administrators have been waiting for Apple to make for some time. What changed? Up until macOS 10.12.3, the Internet Recovery mode used to wipe and reinstall macOS on a target Mac would install the version of the OS the Mac originally shipped with. If a Mac originally shipped with OS X Yosemite and Internet Recovery was invoked at a later time, when a newer version of macOS shipped, the Mac would still receive OS X Yosemite and it was up to the user to manually upgrade to the latest OS version.
This was a cumbersome procedure and likely resulted in users not bothering to upgrade to the latest OS, causing them to miss out on important security updates and putting themselves at risk. As of the macOS 10.12.4 update, Internet Recovery will now actively determine the newest compatible version of macOS and install it. This will go a long way to ensure that Mac users are always running the latest version of macOS in the event a full OS reload is required. It will also help Mac system administrators who use this Apple-recommended method to repurpose corporate-owned Macs for a new user.
Securing All the Macs
Given all of the above, we have the following recommendations to keep your personal and organization’s Mac systems as secure as possible:
- First, determine if your Mac is one that can be patched against the discussed vulnerabilities.
- All Mac models going back to mid-2010 have available updates in macOS 10.12.4 so update your OS to the latest macOS 10.12 Sierra
- If you have legacy applications that don’t support macOS 10.12 Apple released a separate patch for older OS X versions through Security Update 2017-001 for 10.10 Yosemite and 10.11 El Capitan which contain EFI firmware updates, though be aware that they cover a smaller subset of Mac models.
- Once upgraded, make sure to install all future patches as soon as they become available. All of Apple’s major OS releases have been free as of the past few years, so if your Mac supports it, cost won’t be an issue.
- If your Mac is not in that list and is too old to support OS X 10.10 or later, then these vulnerabilities are never going to be fixed for your system’s firmware and they will continue to be vulnerable. In these cases, the easiest advice to give you is that this is an excellent time to shop around for a new one.
- If purchasing a new Mac is not an option, then you should consider the uses and privileges that your vulnerable Macs have and limit them to roles that do not have access to sensitive data. Consider network isolation if these older machines require network access.
- Additionally, given that many of the attacks targeting firmware vulnerabilities require physical access, you can help to defend against them by not using vulnerable devices outside of a physically secured environment and not allowing them to be taken home or on travel.
The one thing to take away from all of the preceding discussion is this: only the current version of macOS will receive the complete set of Apple security patches. Older versions quickly drop off the radar and will leave Macs in a vulnerable state, both from an OS and application standpoint, as well as from a firmware one.
The only way to be sure a Mac is protected is to only run the current macOS version and to apply patches immediately after they are released. Mac system administrators also want to take extra care that the firmware updates that are part of macOS updates can be properly applied by their organization’s management tools and that they can reliably report EFI firmware versions across their fleet. In case your management software is unable to gather this data, we recommend taking a look at osquery and the built-in platform_info table which contains a
version key that accurately reflects the EFI firmware version. By keeping track of what firmware versions are installed on your fleet you can more easily mitigate any drift and keep all endpoints protected.