ZDNET has a concerning article about UEFI malware found on some PC’s. According to the article this most recent UEFI infection was not the first. The Russian APT group Fancy Bear was using it back in 2018. Things like this usually means you can count on at LEAST 1 year prior before something like this is discovered. Those of us who watch closely know that things like this can go undiscovered for a decade or more…so I wonder how long into UEFI’s existence has this been going on? I’ve been talking about potential pitfalls about UEFI since 2012. I brought this up again in 2015 and then I experienced it’s use for “legitimate” drivers in 2017 at a client site. This i am sure has been utilized for much longer…which is why “secure boot” was designed for it..since it’s presented as a hidden file system that is actually your motherboards primary firmware. The only way to get rid of something like this is either “secure boot” which is means your bootcode must be cryptographiclly signed and those keys must already be present in the UEFI firmware for the system to boot…or hope you can flash the motherboard firmware without the malware knowing you are doing it…easier said then done. Basically if your mobo gets infected like this your options are limited and the consequences are very serious:
- If you have a modern Intel, Ryzen pro, or EPYC processor…all of these have secret operating systems built into the chips themselves. If your motherboard firmware has been infected with this..you will need to replace not only your motherboard..but also your CPU. For a server based platform that could be thousands to 10’s of thousands of dollars.
- For a desktop the consequences are also just as potentially dire. The motherboard goes and if you have many modern Intel, Ryzen pro, or Threadripper CPUs you have the same issues.
The consequences of this kind of infection are very dire. Not only do you have to replace the hardware EVERYTHING that machine has processed now MUST bon considered compromised. If this is a cloud server..you have serious problems. This is probably why secure boot is activated in many mahcines AND why AMD and dell have started locking AMD Threadripper and EPYC directly to the motherboards they come on. This means if the motherboard dies..you have to replace BOTH the motherboard and CPU as the cpu will not accept another motherboard…period.
EFI(the standard UEFI is based upon) was designed by Intel(go figure) whose record on security has been totally pathetic….so now folks have a golden opportunity to take the open PC space and start turning it into morass of vendor lockin(Apple is famous for this as their custom firmware is UEFI based…they have had some epic security failures despite their attempts to lock the hardware and software down). Combine that with the absolutely horrid state of code quality industry wide…and the hopes of pc’s and other devices being secure is about zero….no matter that hte vendors say. When your firmware is so easily taken over..the rest doesn’t matter.