Apple’s Mac computers, once the king of computer security, have fallen prey to numerous versions of malicious malware over the past few years. Now, a troubling report from Duo Security details a host of new problems that certain Mac owners will have to endure.
The report brings to light the fact that millions of Mac computers aren’t receiving any critical firmware updates — and it isn’t because of user error. Duo Security explains the two reasons why this is happening:
- The firmware update fails but the user is not notified in any way
- Apple stopped offering older computers firmware updates without notice
Here’s why you should be concerned about your Mac not receiving critical updates, how to tell if your computer is affected, and what you can do about it.
Duo Security discovered the problem after investigating tens of thousands of computers to measure the state of Apple's extensible firmware interface, or EFI. The EFI is firmware that runs before the operating system on your Mac boots up and, if controlled by a malicious agent, has the power to corrupt every part of your computer.
According to Andy Greenberg from Wired, the security firm found that Macs with even the most up-to-date operating system still had old EFI code:
“For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.”
Users who have kept up their system’s security with best practices would be still blind to the issues due to Apple’s apparent oversight.
What exactly can an attacker do if they gain control of a computer’s EFI? Greenberg explains that an attacker can plant malware outside of a computer’s operating system, meaning an antivirus scan won’t detect it and wiping an entire storage drive won’t remove it.
This is concerning since 4.2% of Macs Duo Security tested had an outdated EFI version. What’s even stranger is that Apple is fully aware of EFI hacking methods: they’ve created four patches to address them, yet they didn’t push the firmware patches out to older versions of Macs.
Thomas Reed, the head of Apple research at security firm MalwareBytes explained; “That’s a big danger. It’s not good to see these machines being left with vulnerable firmware versions. There’s the potential for these computers to exploited by malware that checks your EFI, and if it's vulnerable, hacks it to get something persistently installed.”
What You Can Do
As Switchfast Engineer Tait Shrum put it:
“This is one of those areas of computers that can be pretty confusing. It’s kind of like telling someone, ‘Hey, you need to tear down all your sheetrock in your house because there might be an issue with the studs in the walls.’ EFI or system firmware is one of those invisible things that almost no one thinks about.”
So what should be your first step? Update your Mac to High Sierra if possible. The latest Apple OS scans for EFI corruption weekly and will make you aware if anything unordinary is detected. (Note: Don’t update if using Datto Backup as it isn’t compatible with High Sierra.)
For those who are unable to update to High Sierra, don’t panic. Rich Smith and Pepijn Bruienne of Duo Security say:
“A home user with a Mac that falls into one of the above categories as their personal computing device, then the sky isn’t falling for you, in our opinion. Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high-value targets in their sights. Such adversaries are often spoken about in the same breath as nation-state attacks and industrial espionage.”
The main message here is that majority of Mac users aren’t going to be attacked due to their Mac’s missing EFI updates — at least for now. Attacks that focus on EFI are more complicated than other common attacks. Hackers will stick with the usual methods until they come across a cheaper means to attack the EFI.
Duo Security emphasizes that continuing to use your current system likely won’t result in a severe increase in risk due to the very nature of EFI attacks themselves. They aren’t saying that there is zero risk; there are a variety of scenarios where your system’s vulnerability to an EFI security issue could be used against a home user. However, for most people in most situations, the risk is currently not severe.
Thankfully, there is a way to find out if your Mac has received critical firmware updates. Duo Security released an open source tool that lets you check your Mac's firmware version for vulnerabilities. The tool can be found here. The tool is rather complicated, so we recommended reaching out to your IT team for assistance. If you don’t have an IT team to help you, use this guide to manually update your Mac’s Firmware.
Cybercriminals are always looking for new ways to access our computers. While many might not have the capabilities to access Mac firmware, it’s only a matter of time before someone makes the process easier to complete. The lesson? We need to begin looking in every corner of our computers for vulnerabilities and hold manufacturers accountable for flaws. Cybercrime will always continue to evolve and security needs to evolve as well.
Written by Nik Vargas