The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can end up bypassed on around half of computers that have the feature enabled, a researcher said.
At the Hack in the Box 2014 security conference in Amsterdam, Corey Kallenberg, a security researcher from nonprofit research organization Mitre, also showed it is possible to render some systems unusable by modifying a specific UEFI variable directly from the OS, an issue that could easily end up exploited in cyber sabotage attacks.
UEFI was a replacement for the traditional BIOS (Basic Input/Output System) and should standardize modern computer firmware through a reference specification that OEMs and BIOS vendors can use.
However, in reality there can be significant differences in how UEFI ends up implemented, not only across different computer manufacturers, but even across different products from the same vendor, Kallenberg said.
Last year, researchers from Intel and Mitre co-discovered an issue in UEFI implementations from American Megatrends, a BIOS vendor used by many OEMs, Kallenberg said.
In particular, the researchers found a UEFI variable called Setup did not have proper protection and could end up modified from the OS by a process running with administrative permissions.
Modifying the Setup variable in a particular way allowed the bypassing of Secure Boot, a UEFI security feature designed to prevent the installation of bootkits, which are rootkits that hide in the system’s bootloader and start before the actual OS. Secure Boot works by checking if the bootloader ends up digitally signed and on a pre-approved whitelist before executing it.