<— Back

UEFI Secure Boot Bypasses and The Dawn of Bootkits

In March 2023, ESET Research confirmed the rumors about BlackLotus, a UEFI bootkit reputedly being sold on underground forums since at least October 2022. This is the first publicly known UEFI bootkit bypassing UEFI Secure Boot. It exploited a one-plus-year-old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot on fully updated Windows systems, confirming that bootkits are not just for legacy systems anymore, but a potential threat for a majority of UEFI firmware systems nowadays.

In this session, we answer the questions many people have about the state of UEFI security: How is it that the one-plus-year-old known vulnerability can be used to deploy such dangerous threats? Is it the only such vulnerability? And what can we do to protect against such bootkits?

We start with the basics of UEFI bootkits to explain how they persist and what they can do once deployed. Next, we discuss how UEFI Secure Boot works, and most importantly, how it can be bypassed, by looking at several selected cases of known UEFI vulnerabilities – all very easily allowing bypassing or disabling of UEFI Secure Boot. All this to explain why we think it is only a matter of time until another bootkit like BlackLotus appears, and why we think BlackLotus perfectly foreshadows the future of UEFI threats.

Finally, we look into what you can do to protect against UEFI bootkits, what can be done to detect a bootkit once you get compromised, and how to remove it.