A new study released Friday analyzing more than 73,000 Apple computers used in workplace settings found a firmware vulnerability that could be exploited by an advanced hacker—like, say, someone trying to launder files out of a large company or a state-sponsored attack.
The study comes from Duo, a Michigan-based security firm that does research and provides security tools for companies. The vulnerability that the team found stems from Apple’s extensible firmware interface, which is what powers on computers and boots up the operating system. Duo’s outline of the security flaw suggests that you should think of the EFI as like a starter motor in a car—it turns on the engine, and then the whole system gets connected. Because this operating function is so core to the computer, hackers can commandeer the machine at a very high level—and that’s difficult to detect. Luckily, home users don’t need to be as worried, the researchers noted in their outline.
The scary part is that even Mac users who installed the latest OS security update may still have a severe vulnerability. The computers tested were receiving software updates, and Apple has been bundling software and firmware updates since 2015. But the researchers found the firmware updates didn’t always go through.
The researchers found that 4.2 percent of the machines they tested were running outdated versions of firmware based on the version of operating system they were running. According to Duo, the outdated firmware leaves machines susceptible to firmware attacks, like Thunderstrike 2 and vulnerabilities in the recent WikiLeaks Vault 7 leaks.
In a statement, Rich Smith, Duo’s director of research and development, said that this particular hack requires a high level of skill and sophistication. Most people probably don’t have important enough information on their machines to be worth such a skilled hacker’s time. The more likely targets of this hack are computers containing privileged or classified information. This could include files with valuable intellectual property from a corporation or financial documents or classified material from government agencies.
Not all Macs systems are vulnerable, but the security firm did find that at least 16 models of Apple computers have never received any EFI updates. The most damning case was the 21.5 inch iMac from late 2015, which had the most software and firmware update discrepancies compared with other systems. Forty-three percent of those computers sampled were running the wrong firmware.
For its part, an Apple spokesperson said in a statement to Slate that the company is working diligently on firmware security and that the new macOS High Sierra automatically checks Mac firmware on a weekly basis.
The report says that the Duo researchers contacted Apple about their findings in June, and the Washington Post reported that Apple accepted the results of the study and has been working with Duo to further understand why this is happening.
This vulnerability demonstrates that common Apple computers aren’t quite as secure as users might have thought, but it doesn’t make running your system updates any less vital to maintaining security. Duo recommends that offices and organizations with Mac computers review its report to determine if the machines at risk. If that is the case, it might be time to get new computers all together. After all, the researchers warn in a statement, “even wiping the hard disk completely wouldn’t remove this kind of compromise.”
