UEFI Secure Boot is supposed to ensure a solid, trusted boot process to guarantee that from the moment it powers up, your CPU never runs untrusted code. UEFI handles this during the pre-OS phase of booting and then carefully passes the baton to the kernel. Both Linux and Windows support UEFI SecureBoot.
Bootloaders are a key component of UEFI and at the end of the day bootloaders are just software. And software has vulnerabilities. The design of UEFI anticipates this and provides a way to blacklist vulnerable bootloaders with the Secure Boot Forbidden Signature Database – otherwise known as the DBX.
Sounds good in theory but the whole area of UEFI Secure Boot is so broken it’s hard to know where to begin – making things like BlackLotus so viable. What’s broken about UEFI Secure Boot?
- It takes months for vulnerable bootloaders to make it into the DBX published on UEFI’s website
- It can take still longer for Microsoft to update Windows to install the new DBX. Why? Read on..
- DBX updates can only be applied if you have updated your firmware so that your system doesn’t depend on any vulnerable bootloaders that are now revoked. Otherwise your system is bricked
- It’s not easy to update firmware – every system is different
This creates conditions for the perfect storm. Enter BlackLotus, the first in-the-wild UEFI bootkit. BlackLotus runs on fully updated Windows 11 with UEFI Secure Boot enabled. The one prerequisite is admin authority which is a given for the vast majority of Windows users. Similar to the older “rootkit”, UEFI bootkits are powerful; they allow the attacker to own the OS at a very low level. This in turn allows them to be invisible while doing anything to, on or from the system. And understand that UEFI bootkit attacks DO NOT need physical access.
In this real training for free webinar, I’ll explain how BlackLotus works based on research at welivesecurity and our sponsor Eclypsium. I can’t demonstrate BlackLotus because it’s sold on the dark web. But we’re going to do something just as cool. Security Researcher, Nate Warfield is back and will do a live demonstration of another BlackLotus style bootkit designed at Eclypsium to use the same UEFI Secure Boot vector involving the DBX.
After taking over the system, Nate will fix the vulnerability and show how the attack is now defeated.
Eclypsium is a natural fit for this topic because they have extensive experience in both firmware and bootloader attacks, including multiple vulnerabilities discovered in GRUB and Secure Boot. While Microsoft released patches to address these reports in 2020 and 2022, full remediation required additional administrative steps and as a result, a large majority of systems remain vulnerable to these attacks today.
Please join us for this technical and eye-opening real training for free session.