Comments (5)
alvarnell
commented on May 30, 2024
I was going to suggest upgrading to macOS High Sierra, where an EFI verification check is run at every reboot, but I see your MBP can't do that.
It's normal not to be able to reinstall an update that has already been executed.
EFI compromises are extremely rare from what has been reported to date, probably limited to nation-state attacks. What leads you to suspect yours has been.
from efigy.
dbl001
commented on May 30, 2024
> What leads you to suspect yours has been.
I’m not sure. But, ...
In 2015, the network where I was staying was compromised.
One Linux machine was infected by a root-kit virus. My Mac appeared unaffected … Virus checkers and malware software didn’t detect anything on my Mac,
However, my LinkedIn account was hacked and highly personal information was added to my profile.
Since, then, there have been a few suspicious OS X crashes (only occasionally).
Could a key-logger have been installed during the 2015 breach. Could my passwords have been captured?
Some other breaches? Perhaps an Advanced Persistent Threat (APT)?
ClamAV doesn’t find anything. Neither did Sophos or MalwareBytes Anti-Malware.
Is there a way to over-ride the variable which prevents me from reinstalling the EFI?
Is there a way to detect whether the EFI has been comprised?
Would ‘netstat' show any unauthorized connections?
… On Apr 8, 2018, at 3:58 PM, Al Varnell ***@***.***> wrote:
What leads you to suspect yours has been.
from efigy.
alvarnell
commented on May 30, 2024
I'm sure there is a way to hack the installer and prevent the script from checking the current version, but I don't personally know exactly how.
A few years back I was following the UEFI attack details and installed the kext from Darwin Dumper described in this article: https://www.imore.com/uefi-attack-and-the-mac-what-you-need-know. I successfully extracted the EFI but there didn't have anything to compare it to, so didn't pursue the idea. Apple has blacklisted the DirectHW.kext in recent macOS versions, so not sure it will work for you and again you will need something to compare it to.
from efigy.
dbl001
commented on May 30, 2024
Any comments on using NordVPN?
TOR Browser?
CloudFlare DNS?
https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1
… On Apr 9, 2018, at 1:51 AM, Al Varnell ***@***.***> wrote:
I'm sure there is a way to hack the installer and prevent the script from checking the current version, but I don't personally know exactly how.
A few years back I was following the UEFI attack details and installed the kext from Darwin Dumper described in this article: https://www.imore.com/uefi-attack-and-the-mac-what-you-need-know <x-msg://16/url>. I successfully extracted the EFI but there didn't have anything to compare it to, so didn't pursue the idea. Apple has blacklisted the DirectHW.kext in recent macOS versions, so not sure it will work for you and again you will need something to compare it to.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#23 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AC9i20TkK1TR2CnXgO_DN0-u78SlSjgsks5tmyEqgaJpZM4TLuTI>.
from efigy.
bruienne
commented on May 30, 2024
Hi there @dbl001 ! Thanks for reaching out with your question. So the nature of EFI/firmware exploitation is that if the attacker does it right you'd never be able to tell during runtime (i.e. what you were looking at) whether anything was modified. An attacker would likely anticipate attempts to verify the firmware's authenticity and return the expected hash when another tool asks for it. One would have to physically extract the firmware from the flash storage (while powered off) in order to do proper consistency checks. This is a complicated process not easily performed by the average or even advanced computer user.
As for your question regarding reinstallation, the EFI updater only allows for incremental version updates which means that it will ignore update requests for the same or older versions of the firmware. Since all firmware payloads are signed it's sadly not possible to "trick" the EFI updater by manually increasing the version number in the payload.
Side note: we only track versions for Macs new enough to be included in the "new" update mechanism that slipstreams them into an OS or Security update. The update you screen captured is the "old" mechanism for the MacBookPro5,3 which is a 2009 Core 2 Duo model that is no longer updated by Apple.
I'm closing this issue as it does not directly pertain to the functionality of EFIgy - feel free to come chat more about this in the #security channel on the Macadmins Slack at macadmins.org though!
from efigy.
Related Issues (20)
- log option HOT 1
- EFI firmware version check ERROR - Unknown Build Number '17B48' given. (1511394575.64) HOT 4
- API Feature request HOT 2
- EFI version not found HOT 5
- Dubious Version Number Warning HOT 6
- Incorrect results? HOT 6
- Wrong Results HOT 3
- Exception if running on firmware with "E" in build number HOT 2
- API returning out of date results HOT 3
- Using EFIgy with Mac management systems HOT 5
- Request - additional option to auto run HOT 2
- Support the 2018 MacBook Pros HOT 5
- EFIgy database not being updated? Wrong command/version processed? HOT 3
- Handling for new firmware version style seems to be incorrect HOT 6
- Version information in EFIgyLite_cli.py wrong HOT 4
- -o command line flag returns bad result HOT 2
- SMC version and model unrecognized
- Catalina OS and firmware not supported?
- https://api.efigy.io SSL Certificate has expired HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from efigy.