Security experts have warned that Extensible Firmware Interface (EFI) updates often lack transparency, and fail to cover all hardware models and software versions, leading to dangerous gaps in protection.
Duo Labs director, Rich Smith, told attendees at Infosecurity Europe today that securing the EFI layer is particularly important as its position in a computing system means compromise could give hackers the upper hand in terms of stealth, persistence and access to anything above it.
Although efforts to compromise EFI are most often carried out as part of highly targeted attacks, they remain a major threat to organizations, he warned.
Smith revealed newly updated research from Duo Security which details shortcomings in Apple’s EFI update processes.
Drawing on data collected from 73,000 customer machines, the findings show that 4.2% were running the wrong EFI version – much higher than the 1% or so expected.
That rose to nearly 43% for the oldest Mac model on the market, dating back to 2015.
The results also showed that organizations could be “software secure but firmware vulnerable.”
For the latest Mac update, 10.12.6, the researchers found 43 EFI bundles issued. This figure dropped to 31 for Mac version 10.11 and just one for the previous version, 10.10.
“This makes it difficult for administrators to do good rigorous analysis across their fleets. It’s difficult to understand your threat profile and attack surface,” Smith claimed.
“The only way to ensure you’re getting the best firmware updates is ensuring your on the latest software version.”
He called on tech firms to introduce “the same degree” of transparency into the firmware update process as they do with software updates.
Duo Security chose to study Apple because the firm’s singular ecosystem made it easier to analyze, but Smith warned that failings in the Wintel space are arguably even more acute.