EFI Firmware: Not So Firm? Gillware’s Take on Apple’s Firmware Issues

Can someone take a "bite" out of your Apple EFI firmware?
Can someone take a “bite” out of your Apple EFI firmware?

Over the past two weeks, the infosec (information security) and Apple community have been shocked by the discovery that, according to research performed by Duo Labs across roughly 73 thousand Mac systems, updates to thousands of computers’ EFI firmware were failing without any warning to their users.

Even the most recently-updated Apple systems still might not have up-to-date firmware. Researchers found an average of a 4.2% deviation from the expected norm. The expected deviation should have been zero or close to zero. Some models of iMac were 43% likely to run an “unexpected” version. Affected users never received any notifications that their firmware updates had failed. They were blissfully unaware of the security hole in their iMac.

Neither replacing the hard drive nor reinstalling the OS can fix the firmware. There’s one bright spot for affected users, though. Since the problem does not lie on the user’s OS or hard drive/SSD, there’s little risk of losing data over this issue.

Is this security hole a “the-sky-is-falling” scenario? We don’t think we’d go so far as to say that. Should you still be concerned? Maybe—if you’re the right target for a firmware hack.

Why Are Apple Users Freaking Out Over EFI Firmware?

4.2% out of 73,000 Mac systems doesn’t sound like a whole lot to be concerned over. After all, if Duo examined a similar subset of Windows PCs, they would probably find more with outdated pre-boot firmware.

But therein lies the rub. Windows PCs are more likely to have outdated and vulnerable firmware. Microsoft has a very fragmented ecosystem with many, many various manufacturers. They cannot unilaterally issue automatic firmware patches and the like. Apple, on the other hand, has always kept its ecosystem monolithic, thus easier to control and curate.

This vulnerability represents the kind of security risk with which Apple users are unaccustomed to living. Because of Apple’s stringent automatic updates, a state of the union in which unpatched and out-of-date EFI firmware runs even this rampant on Apple systems simply should not happen. Most PCs do not have automatic updates for their BIOS. Apple does—but it hasn’t been working correctly for thousands of users.

Should Apple Users Freak Out?

Fortunately for most users, the hubbub over this issue is more about the fact that Apple made a mistake of this magnitude and less about the cybersecurity risk—which might not be so severe that we should all be running around like chickens with our heads cut off.

To understand why out-of-date EFI firmware could be a cybersecurity risk, though, as well as whether it’s a significant enough risk for you to jump to your feet and do something about immediately, it’s important to understand what exactly the EFI firmware is and what it does, as well as how bad actors can exploit outdated EFI firmware.

What Is EFI Firmware?

In Gillware’s case study blog we talk a lot about the firmware inside hard disk drives, about which very few people know. We often liken it to the “operating system” of your device, or in other, less techy words, the device’s “brain.”

Your computer’s firmware is, in essence, the operating system below your operating system. It’s the hidden and oft-invisible foundation that props up everything else. As computers become more and more complicated, the firmware does as well. Computer scientists today consider your computer’s firmware to be almost as richly complex and full-featured as the OS itself.

Apple has bundled regular EFI firmware updates in with OS updates since 2015 when a hack named “Thunderstrike” began targeting Apple machines. Thunderstrike is what is known as a “firmware rootkit,” or a hack that allows a hacker to remotely write malicious code into the boot environment. The code lives separate from the operating system and hard drive. Even replacing the HDD and reinstalling the OS cannot purge the malicious code from the firmware!

Apple’s establishment of EFI firmware updates should have safeguarded their machines against the threat of Thunderstrike and future firmware rootkit hacks. The fact that some users have not had their firmware updated since Apple initiated these firmware updates at all leaves thousands of users still vulnerable.

How exactly does a rootkit like Thunderstrike compromise you, though?

It might look scary, but you have little to fear from Thunderstrike.
It might look scary, but you have little to fear from Thunderstrike.

One Ring to Rule Them All

Your computer has different “tiers” of privilege known as rings, and as you go down these tiers, your privileges increase. Ring levels 0 through 2 comprise the “supervisor” level of the computer’s functions, while Ring 3 is the user mode, granting you the privilege and control you’d expect to have as a user.

The purpose of these rings is to separate the code run by the user from the code run by the operating system or kernel and prevent the user from trampling over important functions. In fact, lower rings can and do supersede higher rings all the time.

Your operating system lies at privilege level Ring 0. To a layperson, that sounds like the lowest tier with the highest level of authority.

It isn’t.

Below Ring 0 is Ring -1, which, if you are running a virtual machine, hosts the hypervisor that runs your VM. Below that ring is Ring -2, the EFI firmware. The firmware runs as soon as you boot up your computer and before it even shakes hands with your drive. It’s also called the “pre-boot environment.”

If the pre-boot environment becomes compromised by an outside actor, the consequences can be severe.

What Is the EFI Firmware Security Risk?

The lower you go in your system’s privilege tiers, the greater your authority—and your invisibility. Lower tiers not only supersede higher tiers, but their actions are also nigh-undetectable by those dwelling in the upper tiers as well.

In other words, if you were compromised, nobody but the firmware itself would know. A rootkit planted in Ring -2 would provide an attacker with access to an all-you-can-eat buffet of your computer. Worse, it out of the jurisdiction of antivirus and anti-malware software running in the upper rings.

Thunderstrike, for example, allowed a hacker to enter your system completely unbeknownst to you or any defensive tools on your computer. The rootkit alone would do very little besides providing that initial access and cloak of invisibility. However, the hacker could then take the opportunity to pump a payload into your computer.

Am I At Risk from Outdated EFI Firmware?

Generally speaking, no. Not, at least, unless you are a particular type of target.

Those most at risk to having their outdated firmware exploited are not “small fries” like individual home users, freelancers, or small business owners. In fact, if you are any of these types of people, you have no reason to worry. Rather, it is the people running large corporate IT departments and large-scale organizations who should be concerned.

If you’re running a large corporate or government computer network, the kind that might be targeted by nation-state actors or an industrial rival, you’re most vulnerable to root-level attacks. After all, your systems are important enough to be more or less well-guarded against attacks from other vantage points. If you’re a home user, on the other hand, you tend to be more vulnerable to higher-level level exploits.

Firmware exploits like Thunderstrike are big lures. They’re extremely hard to pull off, and are only of use when a system is well-guarded on every other level. Thus, they’re only used as tools of last resort to go after “big fish.”

Hackers have plenty of other, smaller, easier-to-use tools to get their grubby little hands on your computer or network. Unless you’re very high on the societal ladder, you likely have little fear of falling victim to a firmware exploit. After all, your PC-using friends are just as likely—if not more—to have outdated firmware on their machines!

How Do I Update My Mac’s EFI Firmware?

That said, if you use a Mac machine that could be affected, it behooves you to at least check. Duo Labs, which conducted the research exposing this issue, has provided a tool on GitHub allowing users to quickly and easily check on the state of their Mac’s firmware, cleverly named EFIgy.

If your iMac or MacBook hasn’t been successfully updating its EFI firmware, you can still try to apply a manual OS update to the latest version of OS 10.12.6 that will include an update to the latest firmware version. If you cannot update due to hardware or software incompatibility reasons, or if for one reason or another, you can’t update to the latest firmware, it’s time to consider whether or not you should keep your Mac.

Is this your MacBook? No! Your MacBook is fine.
Is this your MacBook? No! Your MacBook is fine.

Should I Keep My Mac?

Yes, you should. Macs are awesome. Nobody in history has ever made a hack-proof computing ecosystem (and nobody ever will) and the Apple ecosystem is better than a lot of other options in this regard.

As we’ve elaborated above, these hacks, though frightening, are challenging to pull off. They only make sense as tools for compromising high-risk, high-reward targets. As a home user or small business owner, you’re 99.999% likely to be neither of those things.

In other words, if you rely on Macs for personal or freelance use or use within your small business, you can afford to calm down about the whole thing. If you’re in a decidedly larger and more important environment, you might even want to consider replacing affected machines with newer models.

Now, of course, this situation could change in the future. Maybe some bad actor out there will come up with a way to make firmware hacks easier to exploit. Maybe the next WannaCry or NotPetya will use vulnerabilities in the pre-boot environment (but probably not). But for most users in most situations, this is nothing worth going into a tizzy over. Apple has announced its commitment to rectifying this issue as soon as possible.

Will Ascenzo
Will Ascenzo

Will is the lead blogger, copywriter, and copy editor for Gillware Data Recovery and Digital Forensics, and a staunch advocate against the abuse of innocent semicolons.

Articles: 213