New attack methods can 'brick' systems, defeat Secure Boot, researchers say
Security researchers from Mitre found new ways to defeat the Secure Boot feature in UEFI and install boot-level rootkits
IDG News Service - The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher.
At the Hack in the Box 2014 security conference in Amsterdam, Corey Kallenberg, a security researcher from nonprofit research organization Mitre, also showed Thursday that it's possible to render some systems unusable by modifying a specific UEFI variable directly from the OS, an issue that could easily be exploited in cybersabotage attacks.
UEFI was designed as a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification that OEMs and BIOS vendors can use. However, in reality there can be significant differences in how UEFI is implemented, not only across different computer manufacturers, but even across different products from the same vendor, Kallenberg said.
Last year, researchers from Intel and Mitre co-discovered an issue in UEFI implementations from American Megatrends, a BIOS vendor used by many OEMs, Kallenberg said. In particular, the researchers found that a UEFI variable called Setup was not properly protected and could be modified from the OS by a process running with administrative permissions.
Modifying the Setup variable in a particular way allowed the bypassing of Secure Boot, a UEFI security feature designed to prevent the installation of bootkits, which are rootkits that hide in the system's bootloader and start before the actual OS. Secure Boot works by checking if the bootloader is digitally signed and on a pre-approved whitelist before executing it.
Bootkits have been a serious threat for years. In 2011, security researchers from Kaspersky Lab said TDL version 4, a malware program that infects the computer's master boot record (MBR), had infected over 4.5 million computers and called it the most sophisticated threat in the world. McAfee reported in 2013 that the number of malware threats that infect the MBR had reached a record high.
Aside from bypassing Secure Boot, the unprotected Setup variable can also be used to "brick" systems if the attacker sets its value to 0, Kallenberg revealed Thursday for the first time. If this happens, the affected computer will not be able to start again.
Recovering from such an attack would be hard and time consuming because it involves reprogramming the BIOS chip, which requires manual intervention and specialized equipment, the researcher said.
The attack could be launched from the OS by malware running with administrative privileges and could potentially be used to sabotage an organization's computers. It wouldn't be the first time when such destructive attacks occur.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!