Your Mac’s EFI Might Be Outdated

3 minute read
| Editorial

That’s right, despite your best efforts, your Mac might not be completely up-to-date. That’s not because of any failure on your part. According to a group of researchers at the Ekoparty security conference (via Wired, it’s because the updates just quietly fail. When your Mac’s EFI updates don’t run successfully, you don’t get any notification of that.

Mac's EFI

This shiny, gorgeous computer might belie a serious security problem

What’s the Extensible Firmware Interface?

At fault is something involved in updating the Extensible Firmware Interface, or EFI. Your Mac’s EFI, like any computer’s, runs before your computer’s operating system. It can also corrupt almost anything else in your PC or Mac. The EFI controls everything from the FaceTime camera to the trackpad. It also determines how the computer finds the operating system when it boots up.

Security firm Duo delved into the EFI of thousands of Macs to determine the real-world state of updates. Cupertino pushes out EFI updates regularly, so the team should have found the firmware’s state of affairs to be good.

The True State of Affairs of the Mac’s EFI

The security firm actually found quite the opposite. They began with a sample of 73,000 Apple computers used by its customers. Then they arrowed that down to around 54,000 Macs new enough to reasonably expect recent firmware updates.

What the study showed was that, overall, 4.2 percent of the Macs tested had the wrong EFI version for their operating system. For some models, such as the 21.5-inch iMac, the EFI was wrong 43 percent of the time.

The researchers don’t know why the EFI updates are failing, but here’s the problem. When an EFI update doesn’t finish successfully, the user has no way of knowing.

Not Just an Apple Problem

Before you think that I’m hating on Apple, or the researchers were, there’s a reason they chose Apple hardware to test. This is a unique situation where Cupertino controls updates to both hardware and software. Microsoft can’t update the EFI on a Windows-based PC, because it has no control over it.

Duo says it couldn’t analyze the state of the EFI of Windows or Linux computers by Dell, HP, Lenovo, Samsung, or any of a dozen other brands. Each of those computers’ has its own unique EFI, and each would require independent analysis. That actually means that the state of EFI for Windows- and Linux-based PCs is probably even worse, according to Duo.

Is This Really a Problem?

Yes. Yes, it is. If your Mac’s EFI is outdated, you will find yourself more open to hacking efforts than you might think. Through well-known and years-old EFI exploits, hackers can take control of a Mac (or any PC that has that exploit). The NSA and CIA have both demonstrated the ability to do this, according to leaked classified documents posted by WikiLeaks.

The researchers admit that how often the failed firmware updates would leave Macs open to real-world EFI hacking techniques is unclear. However, they did look into how Apple patched four different EFI exploits presented in prior security research. For dozens of older models of Mac computers, no patches were pushed out at all. Don’t think they computers were being totally ignored, either — they all received operating system updates after the hacking methods were announced.

A Case for Upgrading to High Sierra

I don’t know why Apple doesn’t let you know when your Mac’s EFI fails to update, but a spokesperson for Apple did explain to Wired what Cupertino has done in High Sierra to help address the problem. As we’ve previously noted, macOS High Sierra will check your system’s EFI weekly, to make sure it hasn’t been corrupted.

In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure.”

That won’t help if you won’t or can’t upgrade, though. Also, it’s designed to find hacked EFI, not an EFI that’s outdated.

Apple needs to up the ante when it comes to making sure EFI is updated. Some notification to the computer’s owner is necessary in these cases. Otherwise, Duo’s director of research Rich Smith explains better than I could the state users find themselves in:

There’s this mantra about keeping your system up to date: Patch, patch, patch, and if you do you’ll be running faster than the bear, you’ll be in a good state. But we’re seeing cases where people have done what they’d been told, installed these patches, and there were no user warnings that they were still running the wrong version of EFI…Your software can be secure while your firmware is insecure, and you’re completely blind to that.

4 Comments Add a comment

    • Jeff Butts

      Short answer is, you can’t (yet). That’s the point; Apple doesn’t provide us with any way of ensuring our EFI is updated.

      • Scott B in DC

        There’s no automatic way but you can manually compare the current version of the EFI with the downloads.

        Open System Information and get your Boot ROM and SMC version information.

        Then go to Apple’s support download page, find your system, and compare the information to the information you find. If your firmware is out of date then you can download and update the EFI manually.

        Download the installation file. It’s a Disk Image with an installation package. Mount the image (double click) then run the installation package (double-click) and follow the instructions.

  1. whisper

    OK. That helps. It was clear that they didn’t do anything in an automated way, I wasn’t sure if there was a workaround that one could do to resolve the problem.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account