The U.S. Cybersecurity and Infrastructure Security Agency has issued a call to action to beef up security of a little-known but important piece of software that can be found in every computer.

Called the Unified Extensible Firmware Interface or UEFI, it is run at boot time and controls the operation of the computer, loads device drivers and power management interface controls and other application interfaces. CISA said Aug. 3 that it’s concerned many attackers have focused on the UEFI to compromise a system and insert malware to control its operations and avoid detection.

One example of this is the BlackLotus exploits, which most recently have been documented by Microsoft Security in April and the U.S. National Security Agency in May. The document included ways to identify clues that a UEFI-based malware is present, such as a recent boot loader file date or log entry, modified Windows Registry keys (pictured below) or particular network behavior.

These UEFI-based attacks are more insidious, because they can activate or deactivate all sorts of operating system security mechanisms before they are actually loaded by the OS. Not helping matters, UEFI is now found on hundreds of millions of computers.

CISA’s warning was somewhat pessimistic, saying cybersecurity researchers and developers “are still in learning mode” on how to respond to UEFI attacks and how to protect this particular software better. “UEFI is the dominant software standard to manage the physical computing machinery that everything else depends on,” it says in its blog post. And its compromise continues to be an issue.

UEFI malware is also a problem because it can persist after a system reboot, an OS reinstall, or even replacement of a particular physical component in the computer. For example, BlackLotus places an older Windows boot loader, disables the memory integrity feature, disables BitLocker, and rolls back a recent security patch to a more vulnerable version.

That is a lot of bad stuff to try to remediate, which is one of the reasons why CISA recommends any infected PC be destroyed rather than repaired. It is also one of the reasons why UEFI attacks are prized targets: An attacker can both gain stealth and operate for long periods of time without having to worry about a system reboot or a system patch.

Over the years, UEFI developers have developed defensive measures to thwart malware infections, and CISA’s blog post mentions two: using security-by-design principles and employing more mature incident response measures. However, these aren’t universally implemented.

UEFI developer AMI proposed a way to prevent this patching rollback mentioned above last fall, but it has spotty deployment. There are also reference chip architectures that include rigorous memory management schemes, but researchers claim these schemes still need to be researched and verified. There are other efforts to establish secure hardware enclaves, but none of these efforts extend the security into the UEFI processes with any significance.

Part of the problem is that the UEFI supply chain is a complex web of developers and dependencies. The typical PC may have more than 50 different UEFI modules and hundreds of device drivers coming from dozens of software suppliers that have their own collection of different developers.

All of this complexity makes it difficult to track down the current versions of the software and determine if something has been compromised by bad actors. Making matters worse, parts of the UEFI “are also expected to accept untrusted input from the user or network.”

The Microsoft and NSA guidelines have recommendations on how businesses can better protect themselves, including updating all Windows recovery media and staying current with various OS patches. And Vijay Sarvepalli of Carnegie Mellon University’s Software Engineering Institute has written a paper describing the UEFI problem in detail along with a long list of developer and security process improvements.

Images: Nanoslavic/Pixabay, Microsoft