Users with higher security clearance or access to sensitive information are most at risk to highly targeted attacks against their computer’s firmware
ANN ARBOR, Mich., – September 29, 2017 – Duo Security, the leading Trusted Access provider and one of the fastest growing cybersecurity companies in the world, today released an in-depth whitepaper detailing a potential systemic issue that leaves Apple Mac computers susceptible to exceptionally targeted and stealthy attacks. The report shows Mac users who have updated to the latest operating system (OS) or downloaded the most recent security update may not be as secure as they originally thought.
A Duo Labs analysis of over 73,000 real-world Mac systems gathered from users across industries found the Extensible Firmware Interface (EFI) in many popular Mac models was not actually receiving the security updates users thought. This left users susceptible to previously disclosed vulnerabilities such as Thunderstrike 2 and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.
What is EFI Firmware? EFI Firmware is present in computers to boot and control the functions of hardware devices and systems. It can be compared to a starter motor in a car and helps a system get from powering on to booting the operating system.
Why Attack EFI Firmware? Attacks on EFI firmware are particularly valuable for sophisticated malicious actors, as it gives them a high level of privilege into a user’s system. Moreover, it is incredibly difficult to detect and even more challenging to remediate, as even wiping the hard disk completely wouldn’t remove this kind of compromise.
Who is Most at Risk? Due to the sophistication required in executing the attack, users that work with particularly sensitive information or have security clearance are most often targeted with this kind of advanced ‘pre-boot’ attack code.
What Should You Do? Organizations with fleets of Mac computers should review the models outlined in the whitepaper to see if their model(s) are out-of-date. From here, it may be time to consider replacing your devices to the newer models if such attacks are within your threat model, and be sure to continue installing security updates promptly after release.
“Firmware is an often overlooked yet vital component of a system’s security structure,” said Rich Smith, Duo Director of Research and Development. “The sophisticated and targeted nature of firmware attacks should be of particular concern to those who have higher security clearance or access to sensitive information at their respective organizations. The worst possible state for users is to be under the assumption that they are secure after updating their system, when in fact, their actual security posture is very different than what they believe it to be.”
In 2015, Apple began bundling their software and firmware updates in an effort to ensure users automatically obtained the most current firmware security. This allowed Duo Labs to analyze the state of Apple’s EFI security by looking at Mac updates released in the last three years to compare the actual state of their EFI security to the expected state. The findings were staggering:
Users running a version of macOS/OS X that is older than the latest major release (High Sierra) likely have EFI firmware that has not received the latest fixes for known EFI issues. This means these systems can be software secure but firmware vulnerable.
On average, 4.2% of real-world Macs used in the production environments analyzed are running an EFI firmware version that’s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.
At least 16 models of Mac computers have never received any EFI firmware updates. The 21.5” iMac, released in late 2015, has the highest occurrence of incorrect EFI firmware with 43% of sampled systems running incorrect versions.
47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike 1, while 31 models capable of the same did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.
Two recent security updates issued by Apple (Security Update 2017-001 for 10.10 and 10.11) contained the wrong firmware with the update. This would indicate regression or a lag in quality assurance.
“As the pre-boot environment becomes increasingly like a full operating system in and of its own, it must also be treated like a full OS in terms of the security support and attention applied to it,” added Pepijn Bruienne, Duo Research and Development Engineer. “We are confident Apple is making significant efforts to increase the security of their EFI environment, and look forward to continuing our research to include the newest OS - High Sierra.”
“While our findings are striking, Apple should be commended in its efforts to get ahead of firmware security issues and seen as an example for the rest of the industry of how to approach the issues surrounding firmware security,” said Smith. “We hope this report will not only help Apple strengthen security, but also get the attention of all manufacturers on the importance of firmware security and giving users more visibility into the security health of all aspects of their computers.”
To help Mac users to determine if their EFI firmware on their Mac computer is indeed up to date, Duo is releasing a free open-source tool called “EFIgy.” Additional functionality will be added to also assess whether users’ version of EFI is exposed to a known EFI vulnerability. Please visit: https://github.com/duo-labs/EFIgy to access the tool.
For more information and to review the full report, please visit: duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research
About Duo Security
Duo Security is a cloud-based Trusted Access provider protecting thousands of the world’s largest and fastest-growing companies and organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Twitter, Yelp, Zillow and more. Duo’s innovative and easy-to-use technology can be quickly deployed to protect users, data and applications from breaches, credential theft and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas and London. Duo is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at duo.com.
About Duo Labs
Duo Security’s advanced research arm, Duo Labs, is a team of hackers, researchers and engineers dedicated to protecting the public by identifying and fixing IT vulnerabilities on a broad scale. Duo Labs is an industry-leading source of research on mobile and cloud security, malware analysis, Internet of Things (IoT) and phishing tactics, among other areas. For more information, visit https://duo.com/labs or follow them on Twitter: @duo_labs.