• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • Security
  • A new way to bypass Secure Boot security mechanism of UEFI

A new way to bypass Secure Boot security mechanism of UEFI

Pierluigi Paganini June 02, 2014

Security Experts discovered a new attack method to defeat Secure Boot security mechanism of the UEFI (Unified Extensible Firmware Interface).

The Secure Boot security mechanism of the UEFI (Unified Extensible Firmware Interface) can be circumvented on around half of PCs that use it, security researcher Corey Kallenberg from nonprofit research organization Mitre has demonstrated it at the Hack in the Box 2014 security conference in Amsterdam.

“The Unified Extensible Firmware Interface (UEFI) (pronounced as an initialism U-E-F-I or like “unify” without the n) is a specification that defines a software interface between an operating system and platform firmware. UEFI is meant to replace the Basic Input/Output System (BIOS) firmware interface, present in all IBM PC-compatible personal computers.[1][2] In practice, most UEFI images provide legacy support for BIOS services. UEFI can support remote diagnostics and repair of computers, even without another operating system.” reports by Wikipedia.

The hack doesn’t work on any machine because there are significant differences in how UEFI is implemented by different computer manufacturers. The resercher demonstrated that bypassing the Secure Boot an attacker can install a bootkit, that is a rootkits which starts just before the OS hiding itself in the system’s bootloader.

Secure Boot uefi 2

Kallenberg has also shown that it’s possible to render some systems unusable by modifying a specific UEFI variable directly from the OS, a circumstance that is really worrying because attackers could easily use the technique in cyber sabotage attacks.

Just one year ago a group of researchers from Intel and Mitre discovered a significant security issue in UEFI implementations from BIOS vendor American Megatrends, the team has found that a UEFI variable called “Setup” was not properly protected and could be modified directly by a process running with administrative permissions in the OS. A similar attack could be run from the OS by a malware running with administrative privileges. An attacker is allowed the bypassing of Secure Boot modifying the Setup variable in a specific way, the Secure Boot checks if the bootloader is digitally signed and that it is on a whitelist before executing it. If an attacker modifies the Setup value the machine will not be able to start again.

Kallenberg also presented a new way to bypass Secure Boot efficient on OEMs not using the security mechanism SMI_LOCK in their UEFI implementations. The researcher discovered that in this last case it is possible to run code in kernel mode to temporarily suspend SMM (System Management Mode) and add a rogue entry into the list of trusted bootloaders by Secure Boot. The modification of the list allows at the successive reboot the execution of the malicious bootloader bypassing Secure Boot. The team of experts at Mitre developed a Windows software, dubbed Copernicus, to analyze the UEFI implementation in any system and report the different security features it uses. Running the application in their organization across 8,000 systems they have discovered that nearly 40% of the machines did not use the SMI_LOCK protection. The researchers are now extending the test to 100,000 systems outside their organization to complete their study. The group also discovered that even if OEMs release BIOS updates with SMI_LOCK protection in the future and customers install them, for nearly 50% of updated systems, attackers will be able to restore an older, unprotected BIOS version from inside the OS. Also in the scenarios exposed, an attacker serving a malware with administrative privileges could install an older digitally signed driver from a legitimate hardware manufacturer that’s known to have a vulnerability.

” Since the driver runs in kernel space, he could then exploit the vulnerability to execute malicious code with ring 0 privileges”, the researcher said.

Recovering from such an attack would be time consuming because it could be necessary to reprogram the BIOS chip with a manual intervention and specialized equipment. It’s time to consider this type of attacks seriously!

Pierluigi Paganini

(Security Affairs –  Secure Boot, cybercrime)


facebook linkedin twitter

Bios bootkit cyber sabotage Hacking malware rootkit Secure Boot UEFI

you might also like

Pierluigi Paganini July 29, 2025
Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data
Read more
Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT