The US government’s cybersecurity agency CISA is calling attention to under-researched attack surfaces in UEFI, warning that the dominant firmware standard presents a juicy target for malicious hackers.
“UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky.
Noting that UEFI code represents a compilation of several components (security and platform initializers, drivers, bootloaders, power management interface, etc.), the agency warned that security defects expose computer systems to stealthy attacks that maintain persistence.
“What attackers achieve depends on which phase and what element of UEFI they are able to subvert. But every attack involves some kind of persistence,” CISA said. “As we evolve our responses to UEFI incidents and strengthen secure-by-design in the UEFI community, we should strive to create an environment where the threat from the adversary targeting UEFI is significantly reduced.”
The government agency used the example of the BlackLotus bootkit to call attention to major gaps in the way layers below the operating system are protected.
“Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode,” CISA said, noting that BlackLotus exploits a failure in secure update distribution – an issue at the intersection of Secure by Design and PSIRT maturity.
Although Microsoft shipped guidance on how to manually mitigate the attack vector, the agency said it will “continue to work with Microsoft toward a Secure by Default update distribution implementation.”
The agency is also recommending that:
- System owners should be able to audit, manage, and update UEFI components just like any other software that is being acquired, including with software bill of materials. AMI has suggested a good start.
- Operational teams should expect to be able to collect, analyze, and respond to event logs that identify UEFI-related activities (e.g., changes, updates, add/remove components) using UEFI native watchdog and reporting capabilities relayed to the operating system or endpoint detection and response tools as appropriate.
- UEFI component developers should use secure development environments and adopt software development best practices, just like any other software.
- The UEFI vendor community should universally adopt uninterrupted and reliable update capabilities to ensure that UEFI component updates are not burdensome to operational communities and end users. For example, keys that sign vulnerable and updated boot files should not have to be manually revoked or excluded by system owners.
- With the UEFI Security Response Team (USRT) continuing to provide leadership, the UEFI community should broaden engagement in communities, like FIRST, to expand adoption of best practices for PSIRT operations.
Last March, a joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” that needed urgent attention.
“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”
“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.
“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”