The flaw outlined by Duo Security researchers Rich Smith and Pepijn Bruienne concerns Apple's Extensible Firmware Interface, or EFI, which helps computers boot up and run the main operating system. Because all subsequent hardware and software operations are dependent on the EFI, allowing hijackers to gain control of it could prove disastrous.
The investigation that led to the discovery began when Smith and Pepijn looked at how many Macs were running outdated firmware. Macs are supposed to update their firmware automatically to the latest versions whenever a user updates the main operating system, insulating them from firmware attacks. But Duo Security's study found that 4.2 percent of surveyed machines were running an outdated version of the firmware. In other words, some computers appear not to be updating their firmware when they're supposed to.
As a result, some machines may be running an up-to-date operating system but problematic firmware. The researchers described the problem as “software secure, firmware insecure.”
The firmware discrepancies appear to affect different models of Mac computers to varying degrees. As many as 16 models have never received any firmware updates, the report showed. Certain iMacs from late 2015 were the worst offenders, with 43 percent of those systems running an outdated version of firmware.
“The number of systems that weren't reflective of the expected good state was actually quite surprising to us,” Smith said. “We went back and checked our data several times to make sure we weren't being led to the wrong conclusions.”
In Duo Security's sample alone — which drew from sectors as diverse as higher education, technology and international groups — more than 3,000 machines were affected by the flaw. All those vulnerable devices could become juicy targets for state-sponsored hackers engaging in corporate or government espionage.
Expand that to all enterprises worldwide, and you begin to get an idea of the potential scale of the problem.
Most home users don't have to worry about this type of attack, Smith said, because they aren't likely to become targets. Instead, the most vulnerable may be government agencies, industrial groups or corporations — those with a great deal more to lose and who might be deliberately targeted by foreign actors.
To help businesses and organizations check the health of their systems, Duo Security said it's providing several tools for IT administrators to use.
The cybersecurity firm contacted Apple in June to discuss the findings, and the tech giant not only accepted the results and methodology, Smith said, but has been working closely with the security firm to understand the problem. So far, neither company has been able to figure out why some computers are refusing to apply the updates.
Some Apple employees have publicly addressed firmware vulnerabilities. A series of (now-deleted) tweets this week from an Apple engineer highlighted a new feature in the latest version of macOS, High Sierra, that runs in the background and checks every week to see whether a Mac is using outdated firmware. If the check passes, users won't see any difference. If it fails, users will be prompted to notify Apple.
“The level of security they're applying to 10.13 [macOS High Sierra] is definitely a step forward for EFI security overall,” Smith said. “It might not address everything we've found in the paper — certainly not the legacy and historical problems we've found — but it's going in the right direction, which is great to see.”
Apple said in a statement that it is committed to bolstering firmware security and confirmed the weekly checks.
"We appreciate Duo's work on this industry-wide issue and noting Apple’s leading approach to this challenge," Apple said. "Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.”