Connect with us

Hi, what are you looking for?



CISA Calls Urgent Attention to UEFI Attack Surfaces

The US government’s cybersecurity agency describes UEFI as “critical attack surface” that requires urgent security attention.

The US government’s cybersecurity agency CISA is calling attention to under-researched attack surfaces in UEFI, warning that the dominant firmware standard presents a juicy target for malicious hackers.

“UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky. 

Noting that UEFI code represents a compilation of several components (security and platform initializers, drivers, bootloaders, power management interface, etc.), the agency warned that security defects expose computer systems to stealthy attacks that maintain persistence.

“What attackers achieve depends on which phase and what element of UEFI they are able to subvert.  But every attack involves some kind of persistence,” CISA said. “As we evolve our responses to UEFI incidents and strengthen secure-by-design in the UEFI community, we should strive to create an environment where the threat from the adversary targeting UEFI is significantly reduced.” 

The government agency used the example of the BlackLotus bootkit to call attention to major gaps in the way layers below the operating system are protected.

“Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode,” CISA said, noting that BlackLotus exploits a failure in secure update distribution – an issue at the intersection of Secure by Design and PSIRT maturity.  

Although Microsoft shipped guidance on how to manually mitigate the attack vector, the agency said it will “continue to work with Microsoft toward a Secure by Default update distribution implementation.” 

Advertisement. Scroll to continue reading.

The agency is also recommending that:

  • System owners should be able to audit, manage, and update UEFI components just like any other software that is being acquired, including with software bill of materials. AMI has suggested a good start.
  • Operational teams should expect to be able to collect, analyze, and respond to event logs that identify UEFI-related activities (e.g., changes, updates, add/remove components) using UEFI native watchdog and reporting capabilities relayed to the operating system or endpoint detection and response tools as appropriate. 
  • UEFI component developers should use secure development environments and adopt software development best practices, just like any other software.
  • The UEFI vendor community should universally adopt uninterrupted and reliable update capabilities to ensure that UEFI component updates are not burdensome to operational communities and end users. For example, keys that sign vulnerable and updated boot files should not have to be manually revoked or excluded by system owners.
  • With the UEFI Security Response Team (USRT) continuing to provide leadership, the UEFI community should broaden engagement in communities, like FIRST, to expand adoption of best practices for PSIRT operations.

Last March, a joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” that needed urgent attention.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.

“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

Related: US Gov Calls Firmware Security a ‘Single Point of Failure’

Related: BlackLotus Bootkit Target Fully Patched Windows Systems

Related: Microsoft: Firmware Attacks Outpacing Security Investments

Related: BlackLotus UEFI Rootkit Provides APT-Level Capabilities

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.