Analysis of more than 73,000 Macs showed that some 4.2% of them were running the wrong firmware, leaving them vulnerable to attacks like Thunderstrike. For one model, the percentage was a staggering 43%.
Firmware exploits are among the most dangerous, because they potentially give an attacker complete control of a machine, are not detected by macOS security scans and remain in place even if you format or replace a drive and do a fresh install of macOS …
Thunderstrike was demonstrated back in 2014. It showed how an attacker with physical access to a Mac could rewrite the firmware by plugging in a Thunderbolt device. Once the compromised firmware is installed, it cannot be overwritten because it replaces Apple’s RSA’s key with one of its own.
Although security updates since then should protect Macs against this and related attacks, the study showed that for some reason, these updates are not always being applied. ArsTechnica reports that while only a small number of machines were vulnerable to Thunderstrike itself, they could be at risk from similar attacks, and it is worrying that many others were running the wrong firmware without any apparent explanation.
On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. 47 Mac models remained vulnerable to the original Thunderstrike and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version.
Duo Security said in white paper presented today that its data indicates that 16 separate models of Mac – spanning the complete range from MacBook Air to Mac Pro – will have received no EFI firmware updates at all.
The firm advises Mac owners to ensure that they are running macOS 10.12.6, as this should include the latest firmware. It will shortly release a small app that will check your firmware and advise whether or not it is up to date.
Duo does, though, emphasize in a blog post that home users are unlikely to be at risk, as firmware attacks are generally individually targeted.
If you’re a home user with a Mac that falls into one of the above categories as their personal computing device, then the sky isn’t falling for you, in our opinion. Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high value targets in their sights. Such adversaries are often spoken about in the same breath as nation state attacks and industrial espionage.
Most everyday home users fall well outside of this attack model, and thankfully, as far as we are aware, there are not any EFI exploits that are being used as part of commodity exploit kits, malware, or ransomware that has been detected in the wild.
It’s mostly a concern to businesses and government agencies.
In a statement to ArsTechnica, Apple said that it was grateful for the research, and noted that High Sierra makes automatic weekly checks that firmware is up to date.
We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.
Duo noted that Windows machines are likely more vulnerable than Macs as it’s almost impossible to verify the correct firmware version for any given PC.
Whereas Apple is solely responsible for supplying the motherboards that go into Macs, there are a wide number of manufacturers supplying motherboards for Windows and Linux machines, with each manufacturer providing vastly different families of firmware.
Duo specifically studied Macs precisely because each model should have a known firmware version. Takeaway: Update your Mac to the latest software version as soon as possible.