Researchers at Duo found that Mac users who have kept up with security updates may be much more vulnerable than they expect. During their research, Duo analyzed over 73,000 Macs and discovered that 4.2% of them did not have the correct EFI firmware version they expected. Intel-Designed Extensible Firmware Interface (EFI) is used by Apple for Macs and is responsible for controlling the boot process. EFI runs before the OS boots up and has high enough privileges to allow an attacker to take full control undetected. In addition to EFI attacks being hard to detect, removing the adversary is also very difficult. In fact, replacing the hard drive or installing a new OS will not dislodge the attacker.
More details concerning the vulnerability can be found in Duo’s blog post.
- It seems that Apple has been neglecting to push out EFI updates to some systems, or in some cases the firmware updates fail without presenting an error message, leaving the user unaware.
- If you are running any version prior to 10.12 Sierra, there is a possibility your EFI firmware has not been updated.
- According to Duo, if you are using one of the 16 Mac models listed below, your system has not received any firmware updates at all.
What Should I Do?
- Check if you have the latest version of EFI with a tool Duo created called EFIgy. It can be downloaded here.
- Update to the latest version of macOS (10.12.6) to ensure you receive the latest EFI version and patch any known software vulnerabilities.
- If you are running a Mac that is on the list above or you are not able to update to version 10.12.6 due to hardware or software reasons, unfortunately you will not be able to run the updated EFI firmware.
- If you are not able to run up-to-date EFI firmware for any reason, you can still download EFIgy to determine if your version of EFI is vulnerable.
If you use a Mac for work or you’re a Mac sys admin and your systems are vulnerable to an EFI attack, it is important to determine how a compromised system could impact your environment. In situations like that, Duo recommends that you either shift those vulnerable Macs to a role where they are not exposed or retire them completely. However, this all depends on the value of your data and the nature of your work. It is up to your organization to decide whether or not you are willing to accept the risk of having vulnerable systems within your network.
So far, attacks against EFI have mainly been utilized by sophisticated attackers with high value targets in mind. Therefore, if you are a Mac home user there is not much to worry about according to Duo. As of today, there have been no reports of EFI exploits in the wild.