eficheck in macOS High Sierra protects against firmware attacks

High Sierra

High Sierra

Apple has quietly slipped in a new feature into macOS High Sierra which checks for firmware tampering once a week. This is a fantastic improvement on personal security and is

one that I have been clamoring for, for years.


The firmware is the first software that is executed when you turn the machine on. Its not located on any of your drives but rather its on a flash storage chip that is soldered to the motherboard. Changing the hard drive/SSD does not change the firmware.


Ever since indoor leaks such a Snowden, we have learned that the NSA has built attack tools to replace the firmware of someone’s computer surreptitiously. Once the firmware has been replaced, the NSA can then remotely monitor and/or control the computer. The user has no defense against this because prior to macOS High Sierra, this attack was not detectable and not fixable by simply changing out the har drive nor by reinstalling the operating system (even a clean install will not help this situation).

Who is at risk?

At first blush this might not seem to be a problem for the average user however we have seen that NSA’s software and techniques are already in the hands of evil doers who do threaten our privacy and safety, so this is a very serious issue.

Years ago we would install software, called Tripwire, which scans certain software or files to see if they have been altered or compromised, however that approach does not protect the firmware that boots the machine up.

I wrote about this approach years ago and even asked Apple to incorporate ot into macOS. I don’t know if Apple listened to me, or others, but however they were inspired, I’m grateful that they finally implemented it to protect our firmware.

This new, invisible, feature is known as “eficheck” which is located in: /usr/libexec/firmwarecheckers/eficheck allegedly runs once a week. If it encounters the incorrect firmware for that machine’s model then it will pop up a warning message:

Firmware Changes Detected

Firmware Changes Detected

At this point you can send a report to Apple or ignore the message. Its best to send a report to Apple so they can monitor the situation and develop a countermeasure to protect you, either way, I suggest taking your machine to an Apple store to get the firmware replaced with authentic Apple firmware.

Source: High Sierra automatically checks EFI firmware each week by The Eclectic Light Company blog






Blackstone’s Formulation

“It is better that ten guilty persons escape than that one innocent suffer” William Blackstone

Favorite me on AppleNews now, to stay up to date with deep insight and helpful tips.

Get more free cloud storage space now, directly from: Drop Box

Thank you for your support, Please don’t forget to visit the sponsor of my site, Amazon, it really helps me out and does not cost you a single penny extra.

Dr Bob

Dr Bob Tech Blog Privacy Policy

Leave a Reply