At least 16 different Apple Mac models have not received any updates for a certain type of firmware, which could leave those devices vulnerable to targeted hacks that are difficult to detect, according to researchers at the cloud-based security company Duo Security.
While organizational users should consider moving affected Macs into less vulnerable work roles, home users probably won't encounter much risk by continuing to use such devices, two Duo researchers said in a blog post about their findings. They also noted that although their research focused solely on Apple Macs, "we are of the belief that the main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple."
A device's EFI (extensible firmware interface) system operates in the software layer below the operating system, and controls how hardware components work to enable higher-level software functions. Without proper updates, those EFI systems could be vulnerable to sophisticated attacks that are hard to detect and cannot be resolved simply by updating operating system software or even replacing the hard drive.
'Considerable Discrepancies' in Security Support
Duo Security researchers Rich Smith and Pepijn Bruienne were scheduled to present their findings today at the Ekoparty Security Conference being held in Buenos Aires. Ahead of their talk, they published a blog post and released a technical paper to describe the vulnerabilities they discovered in some Apple Macs.
Conducted over the past few months, Duo's research focused on differences between how technology vendors updated their devices' firmware versus their software. Smith and Bruienne said the study looked solely at Macs because Apple controls every aspect of its devices, from hardware and firmware to operating system and apps. The vulnerabilities they identified, though, most likely apply to other vendors as well, they said.
"Our research has shown there are considerable discrepancies in how Apple provides security support to its EFI firmware as compared to how they support the security of the OS and software," Smith and Bruienne said. "There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running. This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated."
Without those updates, affected Macs could be "vulnerable to a variety of known public EFI security issues," they added.
Apple: Update to MacOS High Sierra
The researchers found that 16 Mac models have not received any EFI firmware updates: the iMac 7.1, 8.1, 9.1, and 10.1; the MacBook 5.1 and 5.2; the MacBook Air 2.1; the MacBook Pro 3.1, 4.1, 5.1, 5.2, 5.3, and 5.4; and the Mac Pro 3.1, 4.1, and 5.1.
The researchers recommended that users with Macs running operating systems older than MacOS Sierra 10.12 should check their devices using Duo Security tools to see whether they're running the latest EFI version. If not, they should update to High Sierra 10.12.6, which provides the latest versions of Apple EFI firmware as well as up-to-date software security patches. However, users with older devices that don't support the latest version of Sierra "may be out of luck," Smith and Bruienne added.
Another Duo tool called EFIgy can help those users determine whether their devices might be vulnerable to known EFI attacks. For organizational users with such devices, "it would be well worth considering end-of-life'ing Macs that cannot have updated EFI firmware applied, or moving them into roles where they are not exposed to EFI attacks (physically secure, controlled network access)," the researchers said. Home users are less likely to be exposed to such attacks, which typically involve nation-state actors or industrial spies, the added.
"Overall, our intent is to highlight the importance of ensuring the security of all components of the systems in your technology environment, and this includes your pre-boot firmware, OS and application software," Smith and Bruienne said. "The data we gathered led us to some surprising conclusions in terms of the divergence in the security support being provided to EFI firmware when compared to software security support."
Apple responded to Duo's research with the following statement emailed to media outlets, "We appreciate Duo's work on this industry-wide issue and noting Apple's leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we're always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."