MacOS - Menu Úvod EFI Firmware Hacks Thunderstrike 2 Thunderstrike 1
EFI Firmware Hacks
"Always keep your operating system and software up-to-date."
This is one of
the most popular and critical advice that every security expert strongly
suggests you to follow to prevent yourself from major cyber attacks.
However,
even if you attempt to install every damn software update that lands to your
system, there is a good chance of your computer remaining outdated and
vulnerable.
Researchers from security firm Duo Labs analysed over 73,000 Macs
systems and discovered that a surprising number of Apple Mac computers either
fails to install patches for EFI firmware vulnerabilities or doesn't receive any
update at all.
Apple uses Intel-designed Extensible Firmware Interface (EFI)
for Mac computers that work at a lower level than a computer's OS and
hypervisors—and controls the boot process.
EFI runs before macOS boots up and
has higher-level privileges that, if exploited by attackers, could allow EFI
malware to control everything without being detected.
"In addition to the
ability to circumvent higher level security controls, attacking EFI also makes
the adversary very stealthy and hard to detect (it’s hard to trust the OS to
tell you the truth about the state of the EFI); it also makes the adversary very
difficult to remove—installing a new OS or even replacing the hard disk entirely
is not enough to dislodge them," Duo researchers say.
What's worse? In
addition to neglecting to push out EFI updates to some systems, Apple does not
even warn its users of the failed EFI update process or technical glitch,
leaving millions of Macs users vulnerable to sophisticated and advanced
persistent cyber attacks.
On average, Duo said 4.2% of 73,324 real-world Macs
used in the enterprise environments were found running a different EFI firmware
version they should not be running—based on the hardware model, the operating
system version, and the EFI version released with that OS.
You will be
surprised by knowing the numbers for some specific Mac models—43% of the
analysed iMac models (21.5" of late 2015) were running outdated, insecure
firmware, and at least 16 Mac models had never received any EFI firmware updates
when Mac OS X 10.10 and 10.12.6 was available.
"For the main EFI
vulnerabilities that were acknowledged by Apple and patched during the time of
our analysis, there were surprising numbers of models of Macs that received no
update to their EFI despite continuing to receive software security updates,"
Duo researchers say.
"Even if you’re running the most recent version of macOS
and have installed the latest patches that have been released, our data shows
there is a non-trivial chance that the EFI firmware you’re running might not be
the most up-to-date version,"
Duo also found 47 models that were running
10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware
update with patches to address the known vulnerability, Thunderstrike 1.
While 31 models did not get the EFI firmware patch addressing the remote version
of the same flaw, Thunderstrike 2.
The Thunderstrike attacks, initially
developed by the National Security Agency (NSA), were also exposed in the
WikiLeaks Vault 7 data dumps, which also mentioned the attack relies on the
outdated firmware.
More details on the vulnerable Mac models can be found in
the Duo Labs research report.
According to the researchers, their research
was focused on the Mac ecosystem as Apple is in a somewhat unique position of
controlling the full stack, but it can be widely deployed.
"However, we are
of the belief that the main issues we have discovered are generally relevant
across all vendors tasked with securing EFI firmware and are not solely Apple,"
the researchers said.
Enterprises with a large number of Mac computers should
review their models outlined in the Duo Labs whitepaper, "The Apple of Your EFI:
Findings From an Empirical Study of EFI Security," to see if their models are
out-of-date.
Mac users and administrators can also check if they are running
the latest version of EFI for their systems by using free open-source tool
EFIgy, which will soon be made available by the company.