UEFI: 5 Recommendations for Securing and Restoring Trust
Despite a drop in overall sales of computers, a staggering 286.2 million Windows-based PCs were sold in 2022. Each of these computers was released with firmware based on the Unifired Extensible Firmware Interface (UEFI), an alternative to the legacy Basic Input/Output System (BIOS), which provides an extensible intersection between hardware and the OS itself. The UEFI standard also identifies reliable ways to update this firmware from the OS. Despite its ubiquitous and indispensable role, this piece of software remains invisible to most users. However, attackers have not forgotten about it. The attack dubbed BlackLotus first exposed a bookit (advanced form of malicious software) that cannot be easily detected or removed. Many vendors, including Microsoft, are still at an impasse with this bootkit as they are unable to reliably detect it or protect even today’s fully patched machines from this type of attack. On the heels of that attack, another soon followed that involved a leak of sensitive information, such as private keys from multiple PC manufacturers. These private keys, typically used to cryptographically sign UEFI-based software, could potentially be used to create malicious software that can achieve very high-privileged access to the CPU. In creating such bootkits, the attacker plants malicious code along with software that is both essential and highly trusted for normal operation of these devices. In this blog post, which I adapted from my recent white paper, I will expand on the concerns brought to light from these attacks and highlight our recommendations to secure the UEFI ecosystem and restore trust in this piece of firmware. These recommendations will both raise awareness and help direct upcoming efforts to create a safer environment for computing.