Researchers warn of missing EFI updates on some macOS systems

Researchers from security firm Duo Security conducted a study of efi firmware updates on 73,324 Mac systems. It found that just over 4 percent of the systems surveyed were missing updates, creating security risks.

The company released the results of the investigation on Friday. The authors write that the data collected suggests that one of the causes of the phenomenon may be that sysadmins do not have the correct procedures for updates. Another possibility is that something goes wrong on Apple’s part that prevents the updates from installing, but they have found no evidence of that. The percentage of 4.2 percent is an average and there are several outliers.

For example, it turned out that a 21.5-inch iMac from the end of 2012 ran the wrong efi firmware in 43 percent of the cases. For three variants of a 13-inch MacBook Pro from 2016, that percentage ranged from 25 percent to 35 percent. Another finding of the study was that in 10 percent of cases, systems running macOS Sierra did not have the expected firmware, while the percentage with El Capitan and Yosemite was lower at 3.4 and 2.1 percent, respectively.

According to the researchers, the firmware updates to be received depend on the Mac model and the version of the operating system present. As a result, it can happen that a system has all the necessary security updates of the OS, but still runs an insecure version of the efi. For example, there would be 16 combinations of hardware and operating systems that never received a firmware update between versions 10.10 and 10.12 of the OS. The researchers also point out that an update sometimes contained an older version, which would indicate a problem with QA.

A vulnerable EFI carries risks because it has many privileges, according to the researchers. As a result, a successful attack can undo security measures at higher levels in the system. In addition, attacks would often be difficult to detect and, after infection, would be difficult to remove. In the report, they refer to several efi attacks, such as the Thunderstrike variants where Apple systems could be infected by malicious Thunderbolt adapters. The CIA method Sonic Screwdriver is also mentioned.

The researchers say they’ve looked at Apple because it uses a closed ecosystem, where the company has control over the hardware and software. This would make the analysis easier. They suspect that the situation on Wintel systems may be worse and want to investigate that in the future. It recently appeared that Apple performs a weekly check of the efi firmware from High Sierra. However, according to the authors, the tool in question does not warn about outdated versions.

The security researchers say their findings should not be a major concern to ordinary users, as attacks on the EFI are often complex and targeted. So it depends on the threat model of the user how serious the findings are. They have released a tool that allows users to investigate whether their efi firmware version is the correct one and whether it is vulnerable. However, it is not yet available at the time of writing.