Thousands of Macs around the world may be vulnerable to devastating firmware attacks that would be nearly impossible to detect or stop, researchers from Ann Arbor, Michigan-based Duo Security disclosed today (Sept. 29).
Even worse, Duo’s researchers believe the problem isn’t limited to Macs, but that potentially millions of Windows and Linux PCs are vulnerable as well. Their users may never know.
The issue lies with the Extensible Firmware Interface (EFI), the low-level operating system that has replaced the better-known BIOS system on most modern motherboards. (It’s often called UEFI on PCs.) EFI boots a computer into a higher OS such as Windows, macOS or Linux. All Intel-based Macs use UEFI/EFI, as do all Windows PCs that shipped running Windows 8, 8.1 or 10.
“Users and admins are often blind to the fact that their system’s EFI may continue to be vulnerable,” said the Duo team in a blog posting. “The main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple.”
Fortunately, most average users are not at risk from such attacks. But there are some Macs don’t seem to be able to update their firmware, and any business or high-risk user of those specific models should consider junking them and buying new machines.
Several EFI exploits have cropped up in the past few years, the best-known of which was the Thunderstrike attack on Macs in late 2014.
Because EFI lies at the very lowest level, regular system-protection software, such as antivirus software, often can’t detect alterations to EFI. A hacked EFI would grant access to potentially all of a higher-level operating system’s processes and let the hacker do anything on the machine.
Most users don’t patch UEFI/EFI, leaving many systems open to known EFI attacks. Duo Security researchers Rich Smith and Pepijn Bruienne analyzed more than 73.000 Macs, presumably mostly in enterprise environments, and found that 4.2 percent were running EFI builds that were either outdated or made for other models.
(It’s not that Macs are more susceptible to UEFI/EFI attacks. The Duo team chose to study Macs because, with a small number of variant hardware models, operating systems and EFI builds, the Mac data set was more manageable than the nearly infinite possible combinations of motherboards, manufacturers, architectures and UEFI builds you’d get with regular PCs.)
One Apple model, the late-2015 21-inch iMac, had a 43 percent incorrect-EFI rate, the Duo researchers found. Sixteen Mac models, mostly built before 2010, had never received EFI updates.
Anyone using those older models in business or high-risk environments, who face attack from highly motivated or sophisticated attacks, should junk those models and get newer Macs, the Duo researchers said.
However, regular home users needn’t worry; EFI attacks take a lot of work to pull off, and most casual online criminals presumably won’t bother.
Smith and Bruienne were scheduled to present their research at the Ekoparty hacking conference in Buenos Aires today. They’ve posted a 63-page research paper on the Duo website.
What Mac users can do
Alas, a tool the Duo duo created to let you check whether your Mac is running incorrect EFI was taken down earlier today after a bug was discovered. The tool should be available at this Github link sometime over the weekend.
You can also check the firmware-update page on Apple’s website, which shows you how to check your EFI model and provides manual updates and instructions for any Macs with out-of-date firmware.
Because Apple has been bundling EFI updates with OS X/macOS updates since OS X 10.11 El Capitan was released in late 2015, your best bet might be to update your Mac to the newest operating system that will run on your Mac.
“Even though OS X 10.11 (El Capitan) and 10.10 (Yosemite) still receive security updates from Apple,” the Duo blog post said, “the EFI firmware updates they receive appear to be lagging behind or are absent entirely.”
However, certain Macs are more vulnerable than others. As indicated above, the late-2015 21-inch iMac (iMac model 16,2 in Apple-speak) had a huge incorrect-EFI rate that the Duo team couldn’t explain. (It could be that IT staffers just hadn’t implemented OS updates.)
All of the late-2016 MacBook Pro line had incorrect rates of between 25 and 35 percent. Fortunately, all of those can be updated to the latest macOS, 10.13 High Sierra.
As for the 16 models that had never received an EFI update, that might be because none of the models in the sample set had been upgraded to El Capitan.
Whatever the reason, those “orphaned” models were:
iMacs manufactured through late 2009: iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBooks manufactured through late 2009: MacBook5,1; MacBook5,2
MacbookAirs manufactured through late 2009: MacBookAir2,1
MacBookPros manufactured through mid-2009: MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
Mac Pros manufactured through mid-2012: MacPro3,1; MacPro4,1; MacPro5,1
Some of those models should be able to update to macOS 10.12 Sierra. For the rest, the Duo blog post advises that business users might want to throw out the machines, or at least take them off the company network.
Individuals who might be targets of nation-state attacks, such as political dissidents or journalists in repressive countries, should also avoid these machines. But ordinary home users needn’t worry.
“If you’re a home user with a Mac that falls into one of the above categories as their personal computing device, then the sky isn’t falling for you,” Smith and Bruienne write. “Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high-value targets in their sights.”
“Most everyday home users fall well outside of this attack model,” they added. “As far as we are aware, there are not any EFI exploits that are being used as part of commodity exploit kits, malware, or ransomware that has been detected in the wild.”
What Windows and Linux users can do
This is not just a Mac problem. It’s a problem all personal computers face. Unfortunately, it can be difficult and sometimes risky to update a motherboard’s EFI on Windows PCs.
The first thing you’ll need to do is find out who made your motherboard. You can simply open up a desktop’s case to find this out. For laptops, check the PC maker’s website for your model’s detailed specifications.
Or you can open up a command-prompt window and type in “wmic baseboard get product,Manufacturer,version,serialnumber”. Write down the result.
You can find out additional information by typing “dxdiag” into the Start menu or Search field and hitting Enter. That should bring up the DirectX Diagnostic Tool, the first tab of which should display your computer’s maker and model (but not motherboard maker and model) and BIOS/UEFI date of creation and version number. Write those down too.
Next, reboot your PC and watch the boot screens. There should be a key command indicated that lets you access the BIOS/UEFi menu — it’s often Delete or F12. Press that button and enter the BIOS menu. (If Windows boots normally, try this again or follow our guide on how to access the BIOS menu from Windows 10.)
Check the BIOS version and see if an update option is available — some newer motherboards let you update the UEFI straight from the BIOS menu. If so, run the update, let it finish and then let the computer boot normally.
If that option is not available, then go to the website of the company that made your computer. (If you or someone else built the computer from scratch, go to the website of the company that made the motherboard.) Look for motherboard BIOS updates. You could also just Google your PC’s make and model along with “motherboard bios update.”
If you find that your PC’s BIOS/UEFI is way out of date (as we did), then you should consider updating it. Read the instructions on the website carefully.
Some computer and motherboard makers provide handy downloadable Windows and/or Linux utilities that will do the heavy lifting and install the new UEFI during a reboot. If so, that’s great. Run the utilities.
If you’ve got a older PC, though, you may have to download a file to your hard drive and then copy it to a USB drive. Reboot your PC, access the BIOS menu and see if there’s an option to install an update from a USB drive. (If there’s an option to back up the older BIOS to the drive before you begin the update process, do so.)
If your BIOS doesn’t “see” the USB drive, you may have to create a bootable USB drive or CD. Google around for how to do that. Then copy the BIOS-update file to the USB drive and boot from that.