Ultimate PC security requires UEFI — and Windows 8 or Linux

Most people don’t understand UEFI (Unified Extensible Firmware Interface) or even know whether their computer has it. An interface layer between an operating system and firmware, UEFI offers much better security than plain old PC BIOS.

UEFI is an open standard intended to make it harder for bad people to manipulate firmware in an unauthorized manner. In a nutshell, any UEFI-enabled component requires firmware updates to be digitally signed by a previously authorized party. UEFI prevents not only bricking (that is, your BIOS gets hacked and your computer becomes as useful as a pile of clay), but also other types of subversion, such as eavesdropping, boot changes, and so on. The latest version adds what’s called secure boot, which requires a unique key for each computer and each OS or low-level application; these keys can be revoked to block known malware or simply unauthroized installations.

[ 5 signs you’ve been hit with an advanced persistent threat | 5 cyber attacks you’re most likely to face | Learn how to secure your systems with the Malware Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

UEFI began life as EFI (Extensible Firmware Interface) by Intel, which subsequently released it as an open standard as it gained more industry support. The UEFI specification is now governed and led by the UEFI Forum, a nonprofit collaboration of technology companies. Many companies are heavily involved, including Intel and Microsoft.

When I last wrote about UEFI in August 2012, UEFI 2.3.1 — the version that provides the secure boot capability — was supported on only 64-bit Microsoft Windows 8, Windows Phone 8, and Fedora Linux. Since then several other Linux distros have added both UEFI and secure boot, including Ubuntu 12.10 and OpenSuse 12.3. The 64-bit versions of Windows Vista SP1 and Windows 7 support UEFI 2.x, but the UEFI 2.3.1’s secure boot capability does not work on these OSes.

All new computer hardware that you buy should come UEFI-enabled, for several good security reasons.

Combating firmware threats Several malware programs have successfully fried BIOSes and bricked millions of computers. Application bugs are great if you want to cause digital havoc, but only a hardware-level attack can render the computer useless for a long, long time. As operating systems become harder to compromise due to SDL (secure design lifecycle) programming and better patching, firmware attacks become more attractive to certain types of hackers.

Most BIOSes are soldered onto the motherboard, so it would take a new motherboard or specialized firmware writing equipment (good luck getting that quickly), along with code and people who knew what they were doing, to recover from a BIOS bricking attack.

It’s far easier to write malware that can brick your computer than the code contained in the average Trojan horse, worm, or virus. All it takes is random garbage code or zeros to overwrite the code in your BIOS — child’s play in the hacker world.

Because most malware writers want money, identity, or information rather than mere destruction, I’ve documented only eight BIOS-modifying malware programs, including four that made it into the wild. But more and more, attackers seem happy to disrupt your life to prove a point. Imagine how happy your company’s enemies or competitors would be if they could brick a significant number of your computers. Your company would be stopped in its tracks for days, if not longer. A growing number of attackers with a variety of agendas may use bricking as a weapon against all sorts of targets.

Make sure you have UEFI and not EFI The original EFI specification didn’t offer much in the way of security. But version 2.3 (now under the UEFI name), and specifically 2.3.1, has solid security. It requires not only digital signatures for code updates, but enables the secure boot firmware-to-OS protection.

Today, UEFI and secure boot are easily the most secure protection firmware can have outside of a physical switch. Physical protection (such as the BIOS jumpers of old) are great for security, but unreasonable to implement in the enterprise. That’s why BIOS jumpers went away for the most part.

Linux, IBM hardware, and Apple have long led the way with EFI booting — Apple introduced it in 2006 with its first Intel-based Macs. According to the UEFI Forum President Mark Doran, who also works for Intel, Linux had EFI during its Itanium days. But Linux’s x86 support of UEFI was a recent development; just a few months ago, it was only Fedora.

All computers carrying a Windows 8 logo must come with UEFI enabled. Early on, some Linux advocates worried that this meant a Windows 8 computer couldn’t run Linux. UEFI can be disabled on most UEFI-enabled computers, and Microsoft is now signing the relevant needed objects so that Linux users can be protected on dual- or single-booted UEFI-protected computers. If you install a 32-bit version of Windows on a UEFI-equipped PC, you cannot use the secure boot capability.

I asked Doran if he knew the status of Apple and UEFI. My last research showed early EFI 1.x support but not any UEFI or UEFI 2.3.1 support. Doran said, “The majority of current Apple computers … certainly any OS X computers, are based on EFI. I’m not aware of anything in the public realm related to Apple and UEFI, and you would have to speak to them for a comment.” I reached out to Apple for comments on its UEFI intentions in the course of writing my last UEFI article, but no one responded.

I asked Doran if any other device manufacturers were picking up UEFI, as it is often promoted as a solution for any device, not just standard-form-factor computers. He said, “There’s lots of work in progress, but not any release products I can point you to right now. We are seeing the proliferation of UEFI in the computer marketplace and increased used in the PC world is helping to promote UEFI’s growth in adjacent spaces.”

Measuring UEFI risk Lastly, I asked Doran about the threat model of nonstandard BIOSes versus UEFI. BIOSes are easier to corrupt — but they come in many different versions. For instance, I did an inventory for a large company with more than 7,000 distinct BIOSes, each of which had a slightly different update path. A virus writer would have to specifically code for each BIOS to maliciously update it. UEFI is harder to maliciously modify, for sure, but presents a common base that attackers could target.

Doran said this risk is a concern for the UEFI forum: “You would have to talk to each VAR to find out what they look at in their own UEFI implementations, but at Intel we are absolutely concerned about the risk, so there are teams that do secure code review, testing, fuzzing, and other similar techniques. Are we absolutely sure we have all bugs gone? No, of course not, but we are working our best on the risk for sure.”

Here’s how I measure the risk. Right now, a novice malware writer could write a worm that could brick a significant amount of the computers in your network. With a little research and more malicious code, they could brick not only your computers, but printers, network devices, and (non-UEFI) mobile devices. There’s a reason more and more computers are becoming UEFI protected.

For mission-critical computers, I recommend that companies use UEFI-enabled computers and devices. Most end-users can’t tell the difference between a UEFI-protected computer and one that isn’t. Why not get the extra protection and decreased risk for the same price? If your computer manufacturer doesn’t offer UEFI, now’s the time to pressure the makers to get on the ball. Firmware attacks are a risk that many of the world’s leading CSOs expect to rise over time.

One day we will likely live in a world where firmware attacks are almost commonplace. I wouldn’t want my company to be under one of those attacks — and have to explain why I knew about the threat vector and didn’t get the protection when it was available, often at no additional cost.

It’s like having not to worry about the Y2K bug. When your CEO comes around asking about it because he read about it in the latest issue of Bloomberg Businessweek magazine or on CNN, wouldn’t it be nice to tell her that you already have that issue on lockdown?

This story, “Ultimate PC security requires UEFI — and Windows 8 or Linux,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.