Thousands of Mac computers are still vulnerable to EFI hacks

Greg S

TS Evangelist

Apple is generally known for keeping its own operating systems secure, but there is a caveat that Cupertino seems to be putting on the back burner. Security firm Duo presented research at Ekoparty security conference that shows between one third and one half of Mac computers may be susceptible to EFI modifications, granting completely silent access to a machine.

Replacing the legacy BIOS, extensible firmware interface (EFI) is the newer method of starting an operating system. Duo discovered that although regular operating system updates were being applied, vulnerable EFI code often failed to update and did not inform the user of a failure. Worse yet, in many cases no patches were issued at all.

The worst offender of failed EFI updates is the late 2015 21.5" iMac showing a failure rate of 43%. Three different versions of the 2016 Macbook Pro also had outdated or incorrect EFI versions in one quarter to one third of samples. In order to check if your Mac computer is vulnerable, Duo will be releasing an open source tool on their GitHub repository.

Even though Duo performs security research with generally accepted intentions, other groups could utilize custom EFI software for nefarious purposes. Demonstrated by both the NSA and CIA as shown in WikiLeaks Vault 7 release, EFI code has been actively exploited for a variety of purposes.

A major concern of EFI or other firmware exploits is that running traditional antivirus software cannot detect it. Even formatting or removing a hard drive will not fix the problem as EFI code is stored on a motherboard memory chip that is not user accessible while an operating system is running. For now, users should ensure their operating system is up to date and check for EFI updates from Apple.

Permalink to story.

 

jobeard

TS Ambassador
I can still remember the scorn from so many MAC users proclaiming no Mac could get a virus or be hacked ..... oh the memories .......
Security by obscurity is just as bad as ignorance and blind faith. Systems are still being taken down by spear phishing email to ill informed users - - ON ALL PLATFORMS :sigh:
 
  • Like
Reactions: Reehahs

Skidmarksdeluxe

TS Evangelist
Gee. I'm beside myself with worry now. I wonder if my Apple IIe that's been packed away in storage for about 30 years now is also vulnerable...
 

Ascaris

TS Addict
As far as I know, this attack can only take place with physical access to the Mac in question. If the attacker has that level of access, isn't it pretty much "game over" anyway?

This attack seems to be about breaking through the protection offered by a password-protected Mac that normally can't be made to boot at all, and in the process installing a firmware-based rootkit that can do what all rootkits can do (only this one is persistent; even if the HDD/SSD is replaced, the exploit is still there).

If the Mac is not password-protected, then presumably you can simply boot from a USB device and install the rootkit the old-fashioned way. As such, this exploit seems to be about being able to bypass the firmware password that otherwise locks the device and prevents booting from any device or flashing the firmware.

I never really considered firmware password protection to be all that strong. Maybe it's different on the Mac side of the fence (I've only used PCs, and only BIOS-based laptops and self-built desktops at that), but I've always thought that these things were more akin to a door lock... a minor deterrence effective only against casual attackers who would just as soon find a lower-hanging piece of fruit. If you've got someone who wants access to your specific machine, and they have physical access, then you're in trouble anyway.

I don't know that any of my PCs would be able to protect against having a compromised firmware flashed or a software-based rootkit installed. I'd be more interested in detection methods that would allow a tampered firmware to be detected.
 

jobeard

TS Ambassador
As far as I know, this attack can only take place with physical access to the Mac in question. If the attacker has that level of access, isn't it pretty much "game over" anyway?
Good point.

btw:
I don't know that any of my PCs would be able to protect against having a compromised firmware flashed or a software-based rootkit installed. I'd be more interested in detection methods that would allow a tampered firmware to be detected.
The sole protection is to download, scan the file with AV before it's installed.

There's also the problem (of a different sort) of protecting the GPU from malicious code and there's no known solution to date.