Black Hat Vegas: Where the Guardians of the BIOS Are Failing

In our upcoming Black Hat Vegas talk, we will summarize our research about the UEFI firmware protections and our newly-discovered security problems.

This talk raises awareness of these security challenges for hardware vendors, BIOS-level security researchers and defenders, and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.

The state of UEFI firmware security has become more serious in the last few years. On one hand, there has been an increase in activity from the security research community leading to increase in reported UEFI firmware vulnerabilities (Year-over-Year) as the UEFI ecosystem became more and more complex. On the other hand, more and more information about UEFI implants has become available, for example, HackingTeam and state-sponsored implants.

But most often, this information becomes public because of leaks, primarily because no detection tools are available and UEFI implants are typically used for targeted attacks. Recently, Intel has announced a new bug bounty program, which also includes the firmware. Hopefully, their effort will lead to more secure firmware.

UEFI’s place in the world has grown rapidly in the last few years, from the desktop/laptop and server market to the Internet of Things (IoT), mobile, automotive, drones, etc. Fortunately, UEFI security has advanced in many different directions, too. The level of security demonstrated by some modern enterprise hardware vendors has greatly improved.

But not all hardware vendors are the same. Unfortunately, some vendors don’t enable the protections offered by modern hardware, such as the simple protection bits for SMM and SPI flash memory (BLE, BWE, PRx), which Intel introduced years ago. This makes them easy targets for attackers, since they have no active memory protections at the hardware level.

In my talk at (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Previous Contributor. Read the original post at: Cylance Blog