The Apple of Your EFI: An Updated Analysis of the State of Apple's EFI Security Support

Presented at Black Hat Europe 2017, Dec. 6, 2017, 2:15 p.m. (60 minutes)

Duo Labs conducted an extensive data analysis on the state of Apple's EFI security from two main perspectives. The first was analysing all EFI updates released by Apple since OS X 10.10.0 through macOS 10.12.6 to fully characterise the security support provided across different Mac models and OS versions. This also provided a baseline for the "expected state" Mac systems should be in - this defined as the state the user would expect their Mac's software and firmware to be in after running the available updates. The second was an analysis across over 73,000 real-world Mac systems to compare the actual state of their EFI against the expected state.

Our findings cover a range of anomalies and security issues with the security support provided by Apple for their EFI firmware. More worryingly, our analysis shows significant deviations in the real-world state of EFI firmware in Macs compared to the expected state, which causes us to suspect a more systemic issue causing the failure of new EFI firmware that is supposed to be automatically installed alongside an OS update.

In addition to the data analysis discussed above, our research also aims to shine a light on the mechanisms used to update Apple's EFI itself - discussing how Apple's EFI updater tools operate and the controls they have in place. These insights come from the binary analysis of the tools themselves, we are confident that this has not been discussed in this great of detail anywhere else - until now.

Alongside our findings in the form of a technical paper, we are also releasing the tools and APIs to enable admins and end users to have far greater visibility into the state of the EFI firmware on their Apple systems and to understand the security implications that it may contain.

Presenters:

• Rich Smith - Director of R&D, Duo Labs, Duo Security
  Rich Smith is the Director of R&D for Duo Labs and supports the advanced security research & development agenda for Duo Security, he is also a co-author of the new book 'Agile Application Security' published by O'Reilly. Prior to joining Duo, Rich was Director of Security at Etsy, co-founder of Icelandic red team startup, Syndis, and has held various roles on security teams at Immunity, Kyrus, Morgan Stanley, and HP Labs. Rich has worked professionally in the security space since the late 90's covering a range of activities including building security organizations, security consulting, penetration testing, red teaming, offensive research, and developing exploits and attack tooling. He has worked in both the public and private sectors in the U.S., Europe, and Scandinavia, and currently spends most of his time bouncing between Detroit, Reykjavik and NYC.
• Pepijn Bruienne - R&D Engineer, Duo Security
  Pepijn Bruienne is a Research and Development Engineer at Duo Security in Ann Arbor, Michigan. He breaks Macs to help his employer's customers be more secure. With more than a decade and a half of experience in a variety of Mac Admins areas, his skills include Systems Administration, Operations Management, Mac/Linux/Windows Server and Desktop integration, software deployment, configuration management and process automation.

Links:

• https://www.blackhat.com/eu-17/briefings/schedule/#the-apple-of-your-efi-an-updated-analysis-of-the-state-of-apples-efi-security-support-8832
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2017/videos/The Apple of Your EFI - An Updated Study of EFI Security.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2017/videos/The Apple of Your EFI - An Updated Study of EFI Security.eng.srt (subtitles)
• https://www.youtube.com/watch?v=wug_8lSv9hA

Similar Presentations:

• Black Hat USA 2012 / DE MYSTERIIS DOM JOBSIVS: Mac EFI Rootkits
• 31C3 (2014) / Thunderstrike: EFI bootkits for Apple MacBooks
• DEF CON 15 (2007) / Hacking the Extensible Firmware Interface