• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Reports
  • Millions of Macs open to EFI Firmware Hacks even if they are up-to-date

Millions of Macs open to EFI Firmware Hacks even if they are up-to-date

Pierluigi Paganini September 30, 2017

A group of researchers with Duo Security demonstrated that millions of Up-to-Date Apple Macs are vulnerable to EFI Firmware attacks.

In 2015, the security researcher Trammell Hudson demonstrated at the Chaos Computer Congress in Hamburg, how it is possible to infect Apple Mac PCs exploiting the Thunderbolt port.
Since the disclosure of the attack against the Apple firmware, the company has regularly bundled EFI updates with macOS security and software updates to avoid its exploitation.
Now researchers at Duo Security have discovered that many macOS security and software updates are incomplete exposing millions of Up-to-Date Macs to EFI Firmware hacks.

The researchers analyzed over 73,000 Macs systems and discovered that a worrisome number of Apple Mac computers either fails to install security patches for EFI firmware vulnerabilities or doesn’t install security updates at all.

“We then gathered OS version, build number, Mac model version, and EFI firmware version from over 73,000 real-world Mac systems deployed in organizations across a number of industry verticals to give us a large dataset of the Apple EFI environments that are in production use.” states the report published by the experts.

“Our research has shown there are considerable discrepancies in how Apple provides security support to its EFI firmware as compared to how they support the security of the OS and software.”

According to the research paper, 4.2 percent of machines in production environments are running EFI versions different from what they should be running.

“On average, 4.2% of real-world Macs used in the production environments analyzed are running an EFI firmware version that’s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.” states the research paper.

The situation is worse for certain Mac models, such as the iMac 21.5 inch of late 2015 for which experts observed a 43 percent discrepancy. The experts noticed that 16 combinations of Mac hardware and OSes had never received any EFI firmware update during the lifetime of the 10.10 to 10.12 versions of OS X/macOS.

The situation is, even more, critic because Apple does not even warn its customers of the failed EFI update process or technical problems resulting in millions of Macs users vulnerable to cyber attacks.

Thunderstrike EFI firmware attacks

Apple uses Intel-designed Extensible Firmware Interface (EFI) for Mac computers that runs before macOS boots up and has higher-level privileges. An EFI malware could be exploited by attackers to gain full control of the device without being detected.

“In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove – installing a new OS or even replacing the hard disk entirely is not enough to dislodge them.” states the Duo researchers.

You will be surprised by knowing the numbers for some specific Mac models—43% of the analysed iMac models (21.5″ of late 2015) were running outdated, insecure firmware, and at least 16 Mac models had never received any EFI firmware updates when Mac OS X 10.10 and 10.12.6 was available.

EFI Mac Firmware update

“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates,” Duo researchers say.

It is very disconcerting to know that even if users are running the latest version of macOS and have installed all the security updates issued by the tech giant they are still exposed to cyber attack.

“Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version,”

Duo experts also found 47 models that were running 10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware update that addressed the known vulnerability, Thunderstrike 1.

While 31 models did not receive did not receive an EFI patch for Thunderstrike 2.

The Thunderstrike attacks were first exploited by the National Security Agency (NSA), agents. According to documents belonging to the WikiLeaks Vault 7 data dumps, the agency developed the “Sonic Screwdriver” project, which is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting”allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”.

The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),“even when a firmware password is enabled” on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.

More details on the research are available in the Duo Labs whitepaper, Mac users can check if they are running the latest version of EFI for their systems by using free open-source tool EFIgy.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Thunderstrike hack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Apple bootkit EFI hack Hacking OS X Thunderstrike hack

you might also like

Pierluigi Paganini July 22, 2025
Cisco confirms active exploitation of ISE and ISE-PIC flaws
Read more
Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT