US CISA Urges Improvements to Key Computer ComponentUnified Extensible Firmware Interface Should Be More Secure, Says Agency
The U.S. federal government is urging computer manufacturers to improve the security of firmware architecture that boots up devices after a powerful bootkit spotted last year sparked heightened concerns over permanent malware infections.
The Cybersecurity and Infrastructure Security Agency issued a call to action Thursday for the standard developers behind the Unified Extensible Firmware Interface to improve patch distribution, coding and logging practices.
UEFI is an industry standard for hardware initialization when a computer powers up, published by the UEFI Forum. A spokesperson said the forum has no comment.
The firmware interface seeks to be flexible, providing support for all sorts of system configurations from a complex ecosystem of vendors. That flexibility means UEFI has a complex attack surface, running in one of the most privileged security domains in the computer. Attack surfaces include many complex filesystem formats and network services, which permit local and remote exploitation, said Rob Wood, practice vice president for hardware and embedded security services at consultancy firm NCC Group.*
The call comes after the discovery of malware known as BlackLotus, a powerful bootkit sold in hacking forums for $5,000, caused the National Security Agency in June to warn Windows systems administrators over its threat.
"UEFI exploitation represents a tremendous national and economic security threat due to the limited countermeasures that can be employed and the advanced persistence such exploitation endows nation-state adversaries," said Tom Kellerman, who leads cyber strategy at Contrast Security and previously served on the White House Commission on Cyber Security.*
BlackLotus bypasses Microsoft security features meant to protect hackers from infecting the boot process that takes place before the Windows operating system assumes control. Once the malware has infected UEFI software, it can gain full control over the system. Boot loader infections are difficult to detect and any computer infected with BlackLotus must be completely re-imaged and possibly discarded.
Microsoft has released multiple patches to stymie BlackLotus, but the NSA said patching is only a first step to hardening machines against the malware (see: NSA Issues Remediation Guidance for BlackLotus Malware).
"UEFI bootkits are very powerful threats, having full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages," said Martin Smolár, a malware analyst at Eset, in a March 1 report unmasking BlackLotus. "This allows them to operate very stealthily and with high privileges."
Microsoft is phasing in fixes to revoke a vulnerable bootloader version that BlackLotus takes advantage of to bypass security protections, but it says it doesn't anticipate the rollout to be complete until the first quarter of next year. One reason for the measured pace, Microsoft said, is that older bootable media such as backup images will become unusable.
CISA recommends that all UEFI developers implement a dedicated public key infrastructure for updates. A CISA official told Dark Reading that Microsoft's use of a single key to sign multiple files has made patching Windows computes against BlackLotus a much harder process.
The agency also recommends a software bill of materials for UEFI components and better native UEFI ability for administrators to collect event logs.
*Updated August 7, 2023 20:01 UTC: Adds comments from Robert Wood and Tom Kellerman.