Duo Labs conducted an extensive data analysis on the state of Apple's EFI security from two main perspectives. The first was analysing all EFI updates released by Apple since OS X 10.10.0 through macOS 10.12.6 to fully characterise the security support provided across different Mac models and OS versions. This also provided a baseline for the "expected state" Mac systems should be in - this defined as the state the user would expect their Mac's software and firmware to be in after running the available updates. The second was an analysis across over 73,000 real-world Mac systems to compare the actual state of their EFI against the expected state.
Our findings cover a range of anomalies and security issues with the security support provided by Apple for their EFI firmware. More worryingly, our analysis shows significant deviations in the real-world state of EFI firmware in Macs compared to the expected state, which causes us to suspect a more systemic issue causing the failure of new EFI firmware that is supposed to be automatically installed alongside an OS update.
In addition to the data analysis discussed above, our research also aims to shine a light on the mechanisms used to update Apple's EFI itself - discussing how Apple's EFI updater tools operate and the controls they have in place. These insights come from the binary analysis of the tools themselves, we are confident that this has not been discussed in this great of detail anywhere else - until now.
Alongside our findings in the form of a technical paper, we are also releasing the tools and APIs to enable admins and end users to have far greater visibility into the state of the EFI firmware on their Apple systems and to understand the security implications that it may contain.