Some MacOS Users Aren't Getting the Firmware Security Patches They Think They Have
Do you know if your Mac's low-level firmware is up to date with the latest patches? You might not be able to, researchers say.
Oct 2 2017, 2:00pm
Image: Shutterstock/Rachel Pick
More from motherboard
Apple's security updates for macOS sometime include patches for serious vulnerabilities in the firmware that runs beneath the operating system. So you might think you're safe if you keep your OS version up to date, but that's not always the case. Depending on your Mac model, you might get the firmware patches or you might not, a team of researchers found.
On one hand, Apple has done more than most other computer manufacturers to secure low-level firmware in Macs by automatically delivering security patches for it to users. On the other, there are still problems with the firmware update process that could put Mac users in the dangerous position where they think they have patched critical vulnerabilities that would let hackers completely compromise their machines—with some effort—but in reality they haven't.
The EFI (Extensible Firmware Interface) is the modern equivalent of the BIOS, the low-level code responsible for initializing the various hardware components when a system is powered on. Unlike the BIOS, however, the EFI has much more functionality, including the ability to communicate over the network.
In a sense, the EFI is a mini operating system with drivers, its own specialized applications, a command-line shell environment and various other extensions. Network cards, graphics cards, solid state drives (SSDs) and other components also have their own firmware that communicates with the EFI.
Starting in 2015, Apple began bundling EFI updates together with the updates for OS X—now called macOS. The goal was to make it easier for users to get these patches automatically because in the past these firmware updates had to be installed manually. This is still the case on most Windows computers today for example.
Researchers from security firm Duo Security analyzed Apple's EFI patches and compared them with the firmware versions installed on over 73,324 Macs that are used across organizations of different sizes and from different industries. Their analysis revealed that Apple does not deliver EFI patches consistently for all models and that even when an EFI patch is available for a certain model, its installation might fail during the update process with no indication to the user or administrator. They think they got the update, but they didn't.
Duo Security researchers Rich Smith and Pepijn Bruienne found 16 Mac models that appear to have never received any EFI update in the past three years, over the lifetime of OS X Yosemite (10.10), OS X El Capitan (10.11) and macOS Sierra (10.12). During that time, other models received patches for serious vulnerabilities that could allow hackers to install stealthy bootkits—boot rootkits—into the EFI and gain total control over the systems. There were also Mac models for which Apple released EFI patches for known vulnerabilities with significant delays, leaving them potentially exposed for months compared to models that got fixes for the same flaws quicker.
The researchers found 47 Mac models that did not receive an EFI firmware patch for a vulnerability revealed in 2014 called Thunderstrike and 31 models that did not receive a patch for a follow-up attack called Thunderstrike 2.
Thunderstrike allows a malicious Thunderbolt-to-Ethernet adapter plugged into a Mac computer to write malicious code to the EFI. Thunderstrike 2 takes the concept further and allows for a similar security breach but without the need of a physical device, as the EFI infection can be done directly by privileged malware running in macOS.
Apple shipped Thunderstrike patches with OS X Yosemite v10.10.2 and with Security Update 2015-001 for older OS X versions. The vulnerabilities behind Thunderstrike 2 were patched with OS X Yosemite v10.10.4 and Security Update 2015-005.
But here lies the first problem: The flaws were not actually fixed in OS X itself, but in the EFI updates that were bundled with those OS X updates. And according to Duo Security's research, which will be presented today at the Ekoparty security conference in Buenos Aires, not every affected Mac model received those EFI patches and there's no easy way for regular users to tell if they got them or not.
Thunderstrike and Thunderstrike 2 were not the only EFI attacks for which Apple didn't provide fixes to all Macs, according to Duo's research. A 2015 patch for an EFI flaw known as CVE-2015-4860 was not made available to 25 Mac models and the fix for CVE-2016-7585, an EFI vulnerability that allows recovering FileVault 2 encryption passwords via malicious Thunderbolt devices was not released for 22 models.
Because of its highly privileged position, malicious code running in the EFI has a lot of power: it can reinfect the OS with malware even if it has been completely wiped and reinstalled on the hard drive; it can disable security features and bootloader cryptographic checks; it can potentially "brick" the computer in which case restoring it to a working condition would require a complicated chip reflashing process, and much more. It is what some security experts refer to as "God mode" malware.
Apple has already started to take some action to detect potentially malicious EFI modifications. MacOS High Sierra (10.13), which was released this week, contains a tool called eficheck that runs every week and compares the system's EFI contents to a whitelist maintained by Apple. If discrepancies are detected it will alert users and allow them to send a report to Apple.
"I agree with their conclusions, that we've got things we can do better."
It is important to keep in mind that in order to compromise the EFI, an attacker needs to already have privileged access through code running on your system or have physical access to the device, reputed OS X and iOS security researcher Dino Dai Zovi and one of the authors of The Mac Hacker's Handbook, told me. So, it is better to focus on protecting the weakest links in the chain and raise the cost of attacks across the board, he said.
Compared to Microsoft, which only provides the operating system for PCs, Apple controls both the hardware and the software of its Mac computers. This means that it's in a much better position to deliver firmware updates to them as it doesn't depend on third-party hardware manufacturers.
In the PC ecosystem there's much more fragmentation because there are several companies that provide base implementations of the UEFI (Unified Extensible Firmware Interface) standard to PC makers. Manufacturers then take these implementations—often more than one—and add additional code on top, leading to situations where even different PC models from the same manufacturer use considerably different EFIs, making patch development a costly and complicated process.
Ironically, while bad for patching, this fragmentation also makes it harder for attackers to create EFI bootkits that can run on a very large number of PCs. From that point of view, it might be easier for them to build low-level malware for Macs, which share the same EFI codebase.
The Duo researchers told me that despite the identified problems, Apple actually does a much better job of patching EFI security issues than other computer makers and the fact that the company has created a system capable of deploying EFI updates without manual intervention from users is laudable.
The reason why Mac and not PC EFI updates were chosen for this research project was specifically because Apple's vertical integration of hardware, firmware, and software made it much easier to build a dataset and analyze it, the researchers said.
"We appreciate Duo's work on this industry-wide issue and noting Apple's leading approach to this challenge," an Apple spokesperson told me. "Apple continues to work diligently in the area of firmware security and we're always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."
Last week, Xeno Kovah, one of the researchers behind the Thunderstrike 2 attack who has since been hired by Apple, said on Twitter about the Duo Security research: "I agree with their conclusions, that we've got things we can do better." He has since deleted the tweet, but an archived copy is still available.
After analyzing Apple's updates and establishing which Mac models did have EFI patches available from the company and with which OS X or macOS updates they were bundled, the Duo Security set out to see if Macs used in production by companies actually had the EFI patches they were supposed to have according to the OS version the were running.
They started with a dataset of 73,383 Macs, of which they selected 65,853 running OS X/macOS 10.10, 10.11, and 10.12—the versions for which EFI and OS updates are shipped together.
The analysis led them to another discovery: some Macs didn't have the latest EFI patches that were available to them from Apple and which should have corresponded to the OS versions they were running. In order words, on those Macs, the installation of the bundled EFI updates failed but the OS updates succeeded, so now they were "software secure, but firmware vulnerable."
Across the entire dataset, 4.2 percent of the analyzed Macs had mismatched firmware-to-OS patch levels, the researchers said. But the discrepancy was much higher for some models: 43 percent for the late 2015 21.5" iMacs, between 25 and 35 percent for three variants of the late 2016 13" MacBook Pro and 12 to 15 percent for two variants of the early 2011 MacBook Pro.
It's not entirely clear why EFI updates fail on some systems, but the more concerning finding is that there's no indication to users or Apple when this happens. And even if users would know how to use low-level tools to determine that they're running an outdated EFI version, there is no easy way for them to only re-apply the EFI patch without reinstalling the OS update.
The Duo Security researchers said that Apple's new eficheck tool does not alert users about situations where their systems are running the latest OS but have an out-of-date EFI version.
"Burn it to the ground. Toss it out. It's really game over."
In conclusion the research revealed several issues: 1) Because Apple continues to deliver security updates to older OS X versions, many users might understandably assume that they're getting the EFI patches too, but that's not the case. The only way to ensure that they're getting the latest EFI patches available for their Mac models is to upgrade to the latest major version of macOS. 2) Even then, there is no guarantee that their Mac models will get the same EFI patches as other models, even though Apple lists the patched EFI vulnerabilities in the security advisories that accompany security updates. 3) And even if all EFI patches are available for a particular model, the installation of those patches might fail during the update process with no warning to the user.
EFI compromises are really bad
Detecting EFI infections is difficult because the malicious code can lie to OS-level tools that try to interrogate the EFI, so EFI malware is undetectable to most antivirus and other security products. Even if it is somehow detected, recovering from such an infection is also extremely hard, because the malicious code can block EFI updates.
If you think your EFI has been compromised, the best option is to stop using the device and get rid of it, said Patrick Wardle, the director of research at penetration testing firm Synack. "Burn it to the ground. Toss it out. It's really game over."
While many of the EFI bootkits known so far have been created and demonstrated by researchers, there is evidence that such low-level malware programs are being used in the wild by sophisticated attackers.
A cache of supposedly internal CIA documents published by WikiLeaks earlier this year mention a tool codenamed Sonic Screwdriver that consists of a malicious Thunderbolt-to-Ethernet device. The tool can be used to deliver a fileless Mac malware implant called Der Starke which installs a persistence component in the EFI.
It is reasonable to assume that intelligence agencies from other countries or sophisticated groups of attackers have similar capabilities. However, researchers agree that it's very unlikely to see widespread EFI attacks indiscriminately targeting large numbers of users. If there are EFI attacks out there—and there likely are—they are almost certainly very targeted to specific individuals or organizations, so the risk they could affect you really depends on your threat model—who would be interested in you or your data.
In general, follow all recommended security practices to lower the chances of malicious code ever getting onto your system and you should be fine.
What should Apple do?
"I would love for Apple to have similar boot security on Macs as it does on iOS devices or as Google has on Chromebooks," Dai Zovi said. On those systems the entire boot chain components from the EFI, to the bootloader to the OS system partition are cryptographically verified, he said.
The reason why that hasn't been done on Macs is probably because it would prevent users from installing other operating systems like Windows or Linux through the Boot Camp feature. Dai Zovi said that he wouldn't be surprised if in the future Apple will make the boot security model for Macs more closely resemble that of iOS devices, which have the best firmware security around.
By simply providing an automatic update mechanism for the EFI, Apple is already doing more than most PC manufacturers, the researcher said. However he agreed that Apple should be more transparent in regards to which EFI vulnerabilities are being patched in which updates and for which models.
In addition to things that Apple could do to raise the cost of EFI attacks— better boot chain security—there are also things that could be done to lower the value of such attacks.
For example, if there would be a way to easily reflash the EFI to a known good state, it would make it much less valuable for attackers to go through the effort of getting malicious code into the EFI in the first place, Dai Zovi said. "You could do it at every system boot."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.