welivesecurity[.]com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
In a long, at times technical read, ESET details the BlackLotus bootkit, and how / why it works. However, for most people the main point is that secure boot isn't nearly all it's hyped up to be, especially if your PC/laptop is no longer updated by the manufacturer.
Using the broadest definition of a PC, a personal computer, including everything from cell phones to chromebooks to laptops & desktops, the main circuit board needs a controller to orchestrate how all the individual parts or components work together so the device will function as intended. It's also the first step in getting the operating system up & running, making it the ideal target for malware -- infecting a device at this level gives it almost superpowers.
While a device like a cell phone is designed as a complete package, others, like a laptop for example, can use a large variety of components, e.g., CPUs, so that controlling function is handled by a separate chipset called the BIOS, with the flexibility needed to work with a variety of parts. Nowadays the BIOS almost certainly uses a standard called UEFI, meaning it runs a mini Linux-like OS that, like any other OS, can be compromised.
When the device is turned on the BIOS starts / runs software that [eventually] starts the OS -- Secure Boot is supposed to make running malware harder by comparing that software to a whitelist of known good files. One problem is keeping that whitelist up to date as vulnerabilities are discovered. Another problem is that when the software with vulnerabilities is included in the BIOS software itself [remember it's an OS running programs], just removing it from the whitelist, and doing nothing else, could break the device so it would no longer boot the OS. Updating the BIOS is the responsibility of the device manufacturer. Once you buy a laptop, PC etc., the typical manufacturer grudgingly provides some level of warranty service for a set time, after which you cease to exist. Getting a BIOS update after the warranty expires is Rare.
TakeawaysMany critical vulnerabilities affecting security of UEFI systems have been discovered in the last few years. Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed – or at least after we were told they were fixed. For a better image, here are some examples of the patch or revocation failures allowing UEFI Secure Boot bypasses just from the last year:
First of all, of course, CVE-2022-21894 – the vulnerability exploited by BlackLotus. One year since the vulnerability was fixed, vulnerable UEFI binaries are still not revoked, allowing threats such as BlackLotus to stealthily operate on systems with UEFI Secure Boot enabled, thus providing victims a false sense of security.
Early in 2022, we disclosed several UEFI vulnerabilities that allow, among other things, disabling UEFI Secure Boot. Many devices affected are not supported by the OEM anymore, thus not fixed (even though these devices were not so old – like 3-5 years at the time of vulnerability disclosure). Read more in our blogpost: When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
Later in 2022, we discovered a few other UEFI vulnerabilities, whose exploitation would also allow attackers to disable UEFI Secure Boot very easily. As pointed out by fellow researchers from Binarly, several devices listed in the advisory were left unpatched, or not patched correctly, even few months after the advisory – leaving the devices vulnerable. Needless to say, similar to the previous case, some devices will stay vulnerable forever, as they have reached their End-Of-Support date.
It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled. As we suggested last year in our RSA presentation, all of this makes the move to the ESP more feasible for attackers and a possible way forward for UEFI threats – the existence of BlackLotus confirms this.