Windows PCs [& laptops & tablets] use something called a BIOS -- wikipedia[.]org/wiki/BIOS – that ties the different components together, e.g., network & graphics adapters, RAM, CPU etc., sets parameters such as the CPU & RAM operating frequencies and voltages, and then starts up the operating system’s boot loader, which in turn starts Windows. Because it’s the very first link in the chain to running Windows, the BIOS is also the ultimate target for malware – infect the BIOS and nothing short of replacing the BIOS code can stop it.
Since the BIOS itself is too limited to run any sort of antivirus code or measures, the industry came up with Secure Boot – when it’s enabled the BIOS will only start a boot loader that matches a cryptographic key. So far so good, except we’re talking about an industry with a low profit margin focused on cost savings with lazy habits and minimal if any customer support. Those cryptographic keys leaked, while companies were lax updating BIOS code or firmware revoking old keys and adding new ones. And searching for BIOS updates and flashing them is something most consumers have never heard of.
Then in the first part of 2023 Black Lotus malware happened – using an insecure Secure Boot key it infected the BIOS. That led Microsoft to devise a plan where it would take control of the allowed and disallowed Secure Boot keys, storing these lists of keys on the boot [EFI] partition, and using a bootloader that took over this responsibility from the BIOS. Problem 1, this would break every existing bootable USB stick or drive – so far there are no real replacements available. Problem 2, many BIOS are incompatible with the new scheme. Problem 3, if you update the BIOS firmware Windows will not boot or start. As it’s been over a year since they started this project, *if* Microsoft ever forces everyone to use it, it would be fair to expect most everyone to simply turn Secure Boot off.
You might expect that turning Secure Boot off would make everyone more vulnerable, and you’d likely be wrong. Ignoring the debate over whether Secure Boot was ever more than window dressing to begin with, large numbers of those cryptographic keys have leaked, and large numbers of devices were shipped using well known sample keys never intended for production. This is highlighted in a new report from the Binarly Research Team that was picked up and expanded on by Ars Technica.
arstechnica[.]com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/?s=31
bleepingcomputer[.]com/news/security/pkfail-secure-boot-bypass-lets-attackers-install-uefi-malware/
Binarly has 2 web pages that may interest if you’re more tech inclined… the 1st checks to see if BIOS code contains one of the sample Secure Boot keys, while the other checks for a long list of BIOS vulnerabilities [I printed a PDF of the results for this PC, and it was 66 pages!]. TO use either requires uploading the BIOS code, which you can [usually/hopefully] get from the device or motherboard manufacturer as a download to flash the BIOS.
pk[.]fail/
binarly[.]io/advisories/brly-2024-005-usage-of-default-test-keys-leads-to-complete-secure-boot-bypass