UEFI Secure Boot Bypasses and The Dawn of Bootkits
In March 2023, ESET Research confirmed the rumors about BlackLotus, a UEFI bootkit reputedly being sold on underground forums since at least October 2022. This is the first publicly known UEFI bootkit bypassing UEFI Secure Boot. It exploited a one-plus-year-old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot on fully updated Windows systems, confirming that bootkits are not just for legacy systems anymore, but a potential threat for a majority of UEFI firmware systems nowadays.
In this session, we answer the questions many people have about the state of UEFI security: How is it that the one-plus-year-old known vulnerability can be used to deploy such dangerous threats? Is it the only such vulnerability? And what can we do to protect against such bootkits?
We start with the basics of UEFI bootkits to explain how they persist and what they can do once deployed. Next, we discuss how UEFI Secure Boot works, and most importantly, how it can be bypassed, by looking at several selected cases of known UEFI vulnerabilities – all very easily allowing bypassing or disabling of UEFI Secure Boot. All this to explain why we think it is only a matter of time until another bootkit like BlackLotus appears, and why we think BlackLotus perfectly foreshadows the future of UEFI threats.
Finally, we look into what you can do to protect against UEFI bootkits, what can be done to detect a bootkit once you get compromised, and how to remove it.
Mr. Martin Smolár
Martin Smolár is a Malware Researcher at ESET. His main responsibilities include malware analysis with a special focus on UEFI bootkits and firmware implants. Besides malware, he is particularly interested in UEFI security and reverse-engineering of UEFI firmware secrets. In his research, he tries to point out to the problems UEFI systems face, and actively works to make them safer by uncovering various UEFI vulnerabilities and reporting them to the affected parties. To date, Martin has discovered more than ten UEFI vulnerabilities, many of them allowing easy bypasses of the essential UEFI security mechanism – UEFI Secure Boot.