Thousands of Macs and PCs may be vulnerable to a sophisticated kind of attack

Some computers appear not to be updating their firmware when they're supposed to.
(Elise Amendola / Associated Press)
The Washington Post

An analysis of more than 70,000 Mac computers being used in businesses and organizations has revealed a firmware vulnerability that could be exploited by a determined, well-resourced attacker such as a foreign government, according to security researchers. Thousands of computers, if not more, are potentially in danger.

Although Apple devices were the focus of the study released Friday by the firm Duo Security, experts at the company say Windows-based machines are even more likely to be at risk because many different manufacturers are involved in building those types of PCs.

The flaw outlined by Duo Security researchers Rich Smith and Pepijn Bruienne concerns Apple Inc.’s Extensible Firmware Interface, or EFI, which helps computers boot up and run the main operating system. Because all subsequent hardware and software operations are dependent on the EFI, allowing hijackers to gain control of it could prove disastrous.


The investigation that led to the discovery began when Smith and Bruienne looked at how many Macs were running outdated firmware. These days, Macs are supposed to update their firmware automatically to the latest versions whenever a user also updates the main operating system, insulating them from firmware attacks. But Duo Security’s study found that 4.2% of surveyed machines were running an incorrect or unexpected version of the firmware.

In other words, some computers simply appear not to be updating their firmware when they’re supposed to.

As a result, some machines may be running an up-to-date operating system but not the best firmware. The researchers describe the problem as “software secure, firmware insecure.”

The firmware discrepancies appear to affect different models of Mac computers to varying degrees. As many as 16 models of Mac have never received any firmware updates, the report showed. Certain iMacs from late 2015 were the worst offenders, with 43% of those systems running an outdated version of firmware.

“The number of systems that weren’t reflective of the expected good state was actually quite surprising to us,” Smith said. “We went back and checked our data several times to make sure we weren’t being led to the wrong conclusions.”

In Duo Security’s sample alone — which drew from sectors as diverse as higher education, technology and international groups — more than 3,000 machines were affected by the flaw. All those vulnerable devices could become juicy targets for state-sponsored hackers engaging in corporate or government espionage.

Expand that to all enterprises worldwide, and you begin to get an idea of the potential scale of the problem.

Most home users don’t have to worry about this type of attack, Smith said, because they aren’t the likeliest targets. Instead, the most vulnerable may be government agencies, industrial groups or corporations — those with a great deal more to lose and who might be deliberately targeted by foreign actors.

To help businesses and organizations check the health of their systems, Duo Security said it’s providing several tools for IT administrators to use.

Duo Security contacted Apple in June to discuss the findings, and not only did Apple accept the results and methodology, Smith said, but it also has been working closely with the security firm to understand the problem. So far, neither company has been able to figure out why some computers are refusing to apply the updates.

Apple didn’t respond to a request for comment, but some of its employees have been active about addressing firmware vulnerabilities. A series of now-deleted tweets this week from a company engineer highlighted a new feature in the latest version of macOS High Sierra that runs in the background and checks every week to see whether a Mac is using outdated firmware. If the check passes, users won’t see any difference. If it fails, users will be prompted to notify Apple.

“The level of security they’re applying to 10.13 [macOS High Sierra] is definitely a step forward for EFI security overall,” Smith said. “It might not address everything we’ve found in the paper — certainly not the legacy and historical problems we’ve found — but it’s going in the right direction, which is great to see.”

Fung writes for the Washington Post.