Millions of Macs open to EFI Firmware Hacks even if they are up-to-date

Pierluigi Paganini September 30, 2017

A group of researchers with Duo Security demonstrated that millions of Up-to-Date Apple Macs are vulnerable to EFI Firmware attacks.

In 2015, the security researcher Trammell Hudson demonstrated at the Chaos Computer Congress in Hamburg, how it is possible to infect Apple Mac PCs exploiting the Thunderbolt port.

Since the disclosure of the attack against the Apple firmware, the company has regularly bundled EFI updates with macOS security and software updates to avoid its exploitation.

Now researchers at Duo Security have discovered that many macOS security and software updates are incomplete exposing millions of Up-to-Date Macs to EFI Firmware hacks.

The researchers analyzed over 73,000 Macs systems and discovered that a worrisome number of Apple Mac computers either fails to install security patches for EFI firmware vulnerabilities or doesn’t install security updates at all.

“We then gathered OS version, build number, Mac model version, and EFI firmware version from over 73,000 real-world Mac systems deployed in organizations across a number of industry verticals to give us a large dataset of the Apple EFI environments that are in production use.” states the report published by the experts.

“Our research has shown there are considerable discrepancies in how Apple provides security support to its EFI firmware as compared to how they support the security of the OS and software.”

According to the research paper, 4.2 percent of machines in production environments are running EFI versions different from what they should be running.

“On average, 4.2% of real-world Macs used in the production environments analyzed are running an EFI firmware version that’s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.” states the research paper.

The situation is worse for certain Mac models, such as the iMac 21.5 inch of late 2015 for which experts observed a 43 percent discrepancy. The experts noticed that 16 combinations of Mac hardware and OSes had never received any EFI firmware update during the lifetime of the 10.10 to 10.12 versions of OS X/macOS.

The situation is, even more, critic because Apple does not even warn its customers of the failed EFI update process or technical problems resulting in millions of Macs users vulnerable to cyber attacks.

Thunderstrike EFI firmware attacks

Apple uses Intel-designed Extensible Firmware Interface (EFI) for Mac computers that runs before macOS boots up and has higher-level privileges. An EFI malware could be exploited by attackers to gain full control of the device without being detected.

“In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove – installing a new OS or even replacing the hard disk entirely is not enough to dislodge them.” states the Duo researchers.

You will be surprised by knowing the numbers for some specific Mac models—43% of the analysed iMac models (21.5″ of late 2015) were running outdated, insecure firmware, and at least 16 Mac models had never received any EFI firmware updates when Mac OS X 10.10 and 10.12.6 was available.

“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates,” Duo researchers say.

It is very disconcerting to know that even if users are running the latest version of macOS and have installed all the security updates issued by the tech giant they are still exposed to cyber attack.

“Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version,”

Duo experts also found 47 models that were running 10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware update that addressed the known vulnerability, Thunderstrike 1.

While 31 models did not receive did not receive an EFI patch for Thunderstrike 2.

The Thunderstrike attacks were first exploited by the National Security Agency (NSA), agents. According to documents belonging to the WikiLeaks Vault 7 data dumps, the agency developed the “Sonic Screwdriver” project, which is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting”allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”.

The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),“even when a firmware password is enabled” on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.

More details on the research are available in the Duo Labs whitepaper, Mac users can check if they are running the latest version of EFI for their systems by using free open-source tool EFIgy.

[adrotate banner=”9″]	[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Thunderstrike hack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini June 29, 2025

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

Pierluigi Paganini June 29, 2025