Ultimate PC security requires UEFI -- and Windows 8 or Linux

Hackers can easily 'brick' computers with malicious firmware. UEFI effectively blocks that attack vector and costs nothing

Most people don't understand UEFI (Unified Extensible Firmware Interface) or even know whether their computer has it. An interface layer between an operating system and firmware, UEFI offers much better security than plain old PC BIOS.

UEFI is an open standard intended to make it harder for bad people to manipulate firmware in an unauthorized manner. In a nutshell, any UEFI-enabled component requires firmware updates to be digitally signed by a previously authorized party. UEFI prevents not only bricking (that is, your BIOS gets hacked and your computer becomes as useful as a pile of clay), but also other types of subversion, such as eavesdropping, boot changes, and so on. The latest version adds what's called secure boot, which requires a unique key for each computer and each OS or low-level application; these keys can be revoked to block known malware or simply unauthroized installations.

[ 5 signs you've been hit with an advanced persistent threat | 5 cyber attacks you're most likely to face | Learn how to secure your systems with the Malware Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

UEFI began life as EFI (Extensible Firmware Interface) by Intel, which subsequently released it as an open standard as it gained more industry support. The UEFI specification is now governed and led by the UEFI Forum, a nonprofit collaboration of technology companies. Many companies are heavily involved, including Intel and Microsoft.

When I last wrote about UEFI in August 2012, UEFI 2.3.1 -- the version that provides the secure boot capability -- was supported on only 64-bit Microsoft Windows 8, Windows Phone 8, and Fedora Linux. Since then several other Linux distros have added both UEFI and secure boot, including Ubuntu 12.10 and OpenSuse 12.3. The 64-bit versions of Windows Vista SP1 and Windows 7 support UEFI 2.x, but the UEFI 2.3.1's secure boot capability does not work on these OSes.

All new computer hardware that you buy should come UEFI-enabled, for several good security reasons.

Combating firmware threats
Several malware programs have successfully fried BIOSes and bricked millions of computers. Application bugs are great if you want to cause digital havoc, but only a hardware-level attack can render the computer useless for a long, long time. As operating systems become harder to compromise due to SDL (secure design lifecycle) programming and better patching, firmware attacks become more attractive to certain types of hackers.

Most BIOSes are soldered onto the motherboard, so it would take a new motherboard or specialized firmware writing equipment (good luck getting that quickly), along with code and people who knew what they were doing, to recover from a BIOS bricking attack.

It's far easier to write malware that can brick your computer than the code contained in the average Trojan horse, worm, or virus. All it takes is random garbage code or zeros to overwrite the code in your BIOS -- child's play in the hacker world.

Because most malware writers want money, identity, or information rather than mere destruction, I've documented only eight BIOS-modifying malware programs, including four that made it into the wild. But more and more, attackers seem happy to disrupt your life to prove a point. Imagine how happy your company's enemies or competitors would be if they could brick a significant number of your computers. Your company would be stopped in its tracks for days, if not longer. A growing number of attackers with a variety of agendas may use bricking as a weapon against all sorts of targets.

Make sure you have UEFI and not EFI
The original EFI specification didn't offer much in the way of security. But version 2.3 (now under the UEFI name), and specifically 2.3.1, has solid security. It requires not only digital signatures for code updates, but enables the secure boot firmware-to-OS protection.

Today, UEFI and secure boot are easily the most secure protection firmware can have outside of a physical switch. Physical protection (such as the BIOS jumpers of old) are great for security, but unreasonable to implement in the enterprise. That's why BIOS jumpers went away for the most part.

Linux, IBM hardware, and Apple have long led the way with EFI booting -- Apple introduced it in 2006 with its first Intel-based Macs. According to the UEFI Forum President Mark Doran, who also works for Intel, Linux had EFI during its Itanium days. But Linux's x86 support of UEFI was a recent development; just a few months ago, it was only Fedora.

1 2 Page 1
Page 1 of 2
FREE Download: Get the Spring 2019 digital issue of CSO magazine today!