Firmware in many Macs isn't getting updates

According to Duo Security research, Apple's EFI firmware can be out of dated on many devices
02 October 2017   667

What is EFI firmware?

EFI stands for Extensible Firmware Interface - the interface between the operating system and microprograms controlling low-level hardware functions. Its main purpose is to correctly initialize the equipment when the system is turned on and transfer control to the operating system loader. EFI is designed to replace the BIOS interface, which is traditionally used by all IBM PC-compatible personal computers. The first EFI specification was developed by Intel, later the first version was abandoned and the latest version of the standard is called the Unified Extensible Firmware Interface (UEFI). Currently, UEFI is developing the Unified EFI Forum.

What is DUO security and what did they research? 

DUO is a security company. According to official website, they combine security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era. It’s so simple and effective, you get the freedom to focus on your mission and leave protection to us.

So, DUO team analyzed:

  • All Apple Mac updates released over the last three years (10.10.0 - 10.12.6) to produce a taxonomy of EFI updates
  • They gathered OS version, build number, Mac model version, and EFI firmware version from over 73,000 real-world Mac systems deployed in organizations across a number of industry verticals to give us a large dataset of the Apple EFI environments that are in production use
  • Then they analyzed them both independently and comparatively to explore the questions we had about the level of security support being afforded to a Mac’s EFI environment.
  • Correlated the Mac models and OS versions that had EFI updates made available
  • We also took time to reverse engineer the way in which the Apple EFI firmware update tools operate, select and apply EFI updates

As reported by Wired, they found out that for certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine. 

There’s this mantra about keeping your system up to date: Patch, patch, patch, and if you do you’ll be running faster than the bear, you’ll be in a good state. But we're seeing cases where people have done what they’d been told, installed these patches, and there were no user warnings that they were still running the wrong version of EFI...Your software can be secure while your firmware is insecure, and you're completely blind to that.
 

Rich Smith
Director of research and development, Duo

In general, 4.2 % of the Macs Duo tested had the wrong EFI version for their operating system version, suggesting they had installed a software update that somehow failed to update their EFI. For some specific models, the results were far worse: For one desktop iMac, the late 2015 21.5 inch screen model, the researchers found failed EFI updates in 43% of machines. And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates.

The Duo researchers couldn't determine why Macs were failing to get firmware updates. But unlike an operating system update failure, an EFI update failure doesn't trigger any alert for the user.

We don’t know why all the EFI updates aren’t taking, we know that they aren’t. And if it doesn’t work, the end user is never notified.
 

Rich Smith
Director of research and development, Duo

What does it means to a final user?

The state of your Mac’s EFI firmware may not be what you expect it to be, and in a number of circumstances, this may leave you vulnerable to a variety of known public EFI security issues.

What should user do?

The basic advices from Due are follows:

  • Check if you’re running the latest version of EFI for your system.
  • If possible, update to the latest version of the OS 10.12.6. This will not only give you the latest versions of EFI firmware released by Apple, but also make sure you’re patched against known software security issues as well.
  • If you’re not able to update to version 10.12.6 either because your hardware is not able to run it, or because you need to run an older version for software compatibility reasons, you may be out of luck and not be able to run the most up-to-date EFI firmware
  • Check if you’re running a Mac that is on the list of hardware that hasn’t received an EFI update. If it is, you may be out of luck and not able to run up-to-date EFI firmware

You can have more information at full Duo and in the manual.

All modern Wi-Fi routers are threatened

KRACK researchers: "The attack works against all modern protected Wi-Fi networks"
16 October 2017   447

On Sunday, 15.10.2017, a Wi-Fi security research results were published. This is reported by the Ars Technica. 

What research? 

The research is called KRACK (Key Reinstallation Attacks). The research has been a big secret for weeks ahead of a coordinated disclosure that is scheduled for 8 a.m. Monday, east coast time. US CERT described the KRACK:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
 

US CERT team

What had researchers found? 

According to official website of KRACK, they've discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

Researchers says that if your device supports Wi-Fi, it is most likely affected. They've discovered that: 

  • Android 
  • Linux 
  • Apple 
  • Windows 
  • OpenBSD 
  • MediaTek 
  • Linksys
  • and others.

are in danger. 

Demo

As a proof-of-concept team executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. 

FAQ

KRACK team also released big FAQ list. We are publishing the most interesting.

  • Do we now need WPA3?
    • No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa.
  • Should I change my Wi-Fi password?
    • Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.
  • Is my device vulnerable?
    • Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.
  • Should I temporarily use WEP until my devices are patched?
    • NO! Keep using WPA2.

Learn more at KRACK official website.