The Rise of UEFI Attacks: CISA Sounds the Alarm on Critical Vulnerabilities

Government CISA Calls Urgent Attention to UEFI Attack Surfaces

The United States government’s cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA), has issued a warning about the vulnerabilities present in UEFI (Unified Extensible Firmware Interface) software. In a call-to-action written by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky, the agency describes UEFI as a “critical attack surface” that requires immediate attention. UEFI, which is the standard firmware used in most computers, is a prime target for malicious hackers due to its various components, including security and platform initializers, drivers, bootloaders, and power management interfaces. According to CISA, security defects in UEFI code can allow attackers to stealthily infiltrate computer systems and maintain persistence, posing a significant risk to cybersecurity.

BlackLotus bootkit highlights vulnerabilities in UEFI security

CISA uses the example of the BlackLotus bootkit to draw attention to the gaps in UEFI security. The cybersecurity community and UEFI developers are still learning about the best practices for securing UEFI software, as demonstrated by incidents like the BlackLotus malware. This bootkit exploits a failure in secure update distribution, which is an issue related to the intersection of “Secure by Design” and PSIRT (Product Security Incident Response Team) maturity. Although Microsoft has provided guidance on manual mitigation techniques for this attack vector, CISA emphasizes the importance of developing a “Secure by Default” update distribution implementation in collaboration with Microsoft.

Recommendations for improving UEFI security

In order to enhance UEFI security and reduce the threat posed by attackers, CISA has put forth several recommendations. These include:

• Auditing and managing UEFI components: System owners should have the ability to audit, manage, and update UEFI components similar to any other software they acquire. This can be facilitated by using software bill of materials, as suggested by AMI.
• Monitoring UEFI-related activities: Operational teams should be able to collect, analyze, and respond to event logs that identify UEFI-related activities, such as changes, updates, and component additions/removals. UEFI native watchdog and reporting capabilities should be used, along with appropriate endpoint detection and response tools.
• Practicing secure development: UEFI component developers should adopt secure development environments and follow software development best practices, just like any other software.
• Ensuring reliable update capabilities: UEFI vendors should universally adopt uninterrupted and reliable update capabilities to make UEFI component updates less burdensome for operational communities and end users. Keys that sign both vulnerable and updated boot files should not have to be manually revoked or excluded by system owners.
• Expanding engagement in best practice communities: The UEFI community, led by the UEFI Security Response Team (USRT), should broaden its engagement in communities like FIRST to promote the adoption of best practices for PSIRT operations.

The urgency of securing UEFI firmware

The recent joint draft report issued by the U.S. Department of Homeland Security (DHS) and the Department of Commerce highlights the urgent need to secure firmware. The report emphasizes that firmware is a large and ever-expanding attack surface that can be compromised by attackers at scale. Firmware attacks can subvert operating systems and hypervisors, bypass security systems, remain hidden, persist in networks and devices, and cause irrevocable damage. Additionally, targeting firmware is becoming an increasingly popular method for hackers due to its relatively low cost of attack. The report calls for immediate action to secure the firmware layer and protect critical infrastructure deployed in the United States.

Editorial: The Unseen Vulnerabilities in UEFI Firmware

The warning issued by CISA regarding the vulnerabilities in UEFI firmware brings to light the often overlooked, yet critical, aspect of computer security. While much attention is paid to securing operating systems and applications, firmware remains an under-researched and under-protected area. As the US government’s cybersecurity agency rightly points out, UEFI firmware represents a critical attack surface that hackers can exploit to maintain persistence within computer systems. This poses a significant risk to individuals, businesses, and critical infrastructure.

The BlackLotus bootkit incident serves as a stark reminder that even established cybersecurity communities and UEFI developers are still learning how to adequately protect UEFI software. The failure in secure update distribution highlights the need for collaboration between agencies like CISA and industry leaders like Microsoft to develop secure-by-default update distribution implementations. Secure development practices, reliable update capabilities, and engagement in best practice communities are also crucial steps towards minimizing the threat from UEFI attacks.

However, these efforts require the dedication and commitment of both vendors and end users. System owners must have the ability to audit, manage, and update UEFI components, and UEFI vendors must ensure that the update process is seamless and not burdensome. Additionally, UEFI component developers should embrace secure development environments and best practices to minimize security defects in UEFI code.

Philosophical Discussion: Balancing Innovation and Security

The vulnerabilities in UEFI firmware raise important philosophical questions about the balance between innovation and security. UEFI was designed with the goal of improving boot times, flexibility, and compatibility with modern hardware. However, this innovation comes at the cost of a larger attack surface and increased complexity. As advancements in technology continue to push boundaries, it becomes increasingly challenging to strike the right balance between functionality and security.

While it is imperative to address the security issues in UEFI firmware, it is equally important to ensure that these security measures do not stifle innovation. Finding the right balance requires collaboration between industry experts, government agencies, and end users. It involves incorporating security practices and considerations in the early stages of development and promoting a culture of security awareness.

Advice: Securing UEFI Firmware

In light of the urgent attention called by CISA, it is essential for individuals and organizations to take steps to secure UEFI firmware. Here are some recommendations:

• Stay updated: Regularly check for firmware updates provided by your device manufacturer and install them promptly. These updates often contain security patches and improvements.
• Enable secure boot: Enable the secure boot feature in your UEFI firmware. This feature ensures that only trusted operating system software is loaded during the boot process, protecting against unauthorized modifications.
• Monitor UEFI-related activities: Use UEFI native watchdog and reporting capabilities, along with appropriate endpoint detection and response tools, to monitor and respond to any suspicious UEFI-related activities.
• Follow best practices: If you are a UEFI component developer, adopt secure development environments and follow established software development best practices to minimize security defects in UEFI code.
• Engage in best practice communities: Participate in communities like FIRST to learn from and contribute to the adoption of best practices for PSIRT operations in the UEFI community.

By following these recommendations and staying vigilant, individuals and organizations can reduce the risk posed by UEFI attacks and contribute to a more secure digital environment.