As any nagging cybersecurity expert will tell you, keeping your software up-to-date is the brushing and flossing of digital security. But even the most meticulous practitioners of digital hygiene generally focus on maintaining the updates of their computer's operating system and applications, not its firmware. That obscure, reptile-brain code controls everything from a PC's webcam to its trackpad to how it finds the rest of its software as it boots up. Now one new study has found that the most critical elements of millions of Macs' firmware aren't getting updates. And that's not because lazy users have neglected to install them, but because Apple's firmware updates frequently fail without any notice to the user, or simply because Apple silently stopped offering those computers firmware updates---in some cases even against known hacking techniques.
At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails.
For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.
"There’s this mantra about keeping your system up to date: Patch, patch, patch, and if you do you’ll be running faster than the bear, you’ll be in a good state," says Rich Smith, Duo's director of research and development. "But we're seeing cases where people have done what they’d been told, installed these patches, and there were no user warnings that they were still running the wrong version of EFI ... Your software can be secure while your firmware is insecure, and you're completely blind to that."
A modern computer's EFI, like BIOS in older computers, is the embryonic code that tells a computer how to launch its own operating system. That makes it an attractive, if arcane, target for hackers: Gain control of a computer's EFI---as both the NSA and CIA have demonstrated the ability to do in recent years, according to classified documentation leaked to Der Spiegel and WikiLeaks---and an attacker can plant malware that exists outside the operating system; running an antivirus scan won't detect it, and even wiping the computer's entire storage drive won't eradicate it.
So Duo set out to assess just how consistently updated the sensitive code underlying Apple's MacOS really is. (It's important to note the researchers chose Apple simply because its control of both hardware and software made it a far easier set of computers to analyze than Windows or Linux PCs, not because there's any reason to think the company is less careful with its firmware than other computer makers.) Over the last months, it painstakingly analyzed 73,000 Apple machines used by its customers and sampled from other enterprise networks. It then narrowed that collection down to around 54,000 computers new enough to be actively maintained by Apple, and it compared each computer's firmware with the version that computer ought to have given its operating system version.
The results were a surprising patchwork of missing updates: Overall, 4.2 percent of the Macs they tested had the wrong EFI version for their operating system version, suggesting they had installed a software update that somehow failed to update their EFI. For some specific models, the results were far worse: For one desktop iMac, the late 2015 21.5 inch screen model, the researchers found failed EFI updates in 43 percent of machines. And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25 to 35 percent of cases, suggesting they too had serious EFI update failure rates.
The Duo researchers say they couldn't determine why Macs were failing to get updates. Like operating system updates, firmware updates sometimes fail due to the sheer complexity of installation on so many diverse computers, they say. But unlike an operating system update failure, an EFI update failure doesn't trigger any alert for the user. "We don’t know why all the EFI updates aren’t taking; we know that they aren’t," says Duo's Smith. "And if it doesn’t work, the end user is never notified."
Just how often those failed firmware updates would leave Macs open to actual known EFI hacking techniques isn't exactly clear---the researchers's analysis of the failed updates didn't go so far as to quantify how many of those glitches left computers vulnerable to specific attacks. But the researchers did look at how Apple patched four different EFI hacking methods presented in prior security research, and found that the company simply didn't push out firmware patches against those attacks at all for dozens of older models of Macs, even as they did update those PCs' operating systems.
For one attack known as Thunderstrike, likely used at times by the CIA to plant spyware deep inside victim computers according to recent releases from WikiLeaks, the researchers say 47 models of PC didn't receive firmware patches to prevent the attack. That may be in part due to the hardware restrictions of that Thunderstrike attack, the researchers concede, given that it requires a hacker to have physical access to the target computer's Thunderbolt port, a component many older Macs lack. But they also found that 31 models of Mac didn't receive firmware patches against another attack known as Thunderstrike 2, a more evolved EFI infection technique that could be performed remotely. (Duo has released an open source tool to check your Mac's firmware version for vulnerabilities here.)
"That’s a big danger," says Thomas Reed, the head of Apple research at security firm MalwareBytes. "It’s not good to see these machines being left with vulnerable firmware versions. There’s the potential for these computers to exploited by malware that checks your EFI, and if it's vulnerable, hacks it to get something persistently installed."
When WIRED reached out to Apple for comment, it didn't dispute Duo's findings, which Duo shared with Apple in June. But a spokesperson did point to a feature of its new version of MacOS, High Sierra, that checks the computer's EFI weekly to ensure it hasn't been somehow corrupted. "In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly," the statement reads. "Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure."
While that High Sierra feature marks a significant improvement to Apple's EFI security, it doesn't apply to older operating systems or entirely alleviate the problem, Duo points out: The feature is designed to catch hacked EFI---not firmware that's out of date or for which an update has failed. Apple's own EFI-focused security staffer Xeno Kovah wrote in a tweet about Duo's research that he agreed with its conclusions, and that "we've got things we can do better." (He later deleted the tweet.)
Of course, Apple likely isn't especially negligent in patching its computers' EFI, compared with other computer manufacturers. In fact, the researchers warn that they weren't able to analyze the state of the EFI of Windows or Linux computers made by Dell, HP, Lenovo, Samsung, or any of a dozen other brands: Each of those computers' EFI would depend on the hardware manufacturer and thus require its own separate analysis. And that likely means the EFI of those machines is in even worse condition, given that those PC users often are asked to update their operating system separately from their firmware, with each update coming from a different source. "I suspect this problem is many times more severe on Windows than Mac," says MalwareBytes' Reed.
All of that means Duo's findings don't point to an Apple problem, or even an EFI problem, so much as a broad, serious firmware problem. "If you’re an industrial espionage target or nation-state target, you need to think about the security of firmware as much as software if you're going to build a reliable and realistic threat model," says Duo's Smith.
In other words, sophisticated hackers today have moved beyond the average user's simplified picture of a computer: applications on top of an operating system on top of hardware. Instead, they're inserting themselves into the hidden corners of a computer's architecture that exist outside that picture. And anyone hoping to keep their computer truly secure will need to start looking into those corners, too.
