UEFI firmware vulnerable to malware implants; worse than “legacy BIOS” ever was.
According to security researchers at anti-virus firm Kaspersky, UEFI “implants” that put rootkits into Microsoft Windows are fairly common, and have been since at least six years ago.
Ever since Microsoft and Intel teamed up to foist this horrible PC firmware “standard” onto PC users, they’ve had people such as Security Theater person Matthew Garrett cheer-leading it for them and claiming that it makes great leaps and bounds to secure your computer.
He’s bounced around from one job to another over the years. At one point, he was working for Red Hat, when he came up with “Security Theater Boot” for Linux, which requires Microsoft to give permission for your PC to boot.
Ars Technica: Fedora could seek Microsoft code signing to contend with secure boot
Web / Gemini (NewsWaffle) / “WebWaffle”
Ever since Garrett’s specification was adopted, GNU/Linux distributors have had to beg Microsoft and pay them to sign their distribution’s bootloader, or else their operating systems don’t boot up on affected PCs.
Instead of telling users to turn off “Secure Boot” or at least just add the distribution’s certificate to the firmware instead, this is where we’ve ended up.
I always turn off “Secure Boot” because I’ve never had it prevent any actual attack, and as far as I’m aware, it never has.
It is part of an attack, on the user.
Matthew Garrett has attacked me repeatedly in the past, especially when I pointed out Lenovo’s 2016 assault on GNU/Linux, in which they crippled some of their laptops to lock them into a mode that only the supplied version of Windows would boot with.
Now he’s trying to gain relevance again, and some people are falling for it, by himself complaining about Lenovo and Microsoft’s current corrupt business practices, which is to disable the Microsoft certificate that allowed this scheme to work.
Thanks to Garrett enabling Microsoft to avoid the coming lawsuits that would have happened had Security Theater Boot stopped a Windows 8 laptop from allowing Linux to boot up, today if a person tries to boot a Linux kernel, a Windows sticker-compliant laptop with “Microsoft Pluton” will now simply say it’s not allowed “due to a security policy”.
When you enable thugs, they get worse, not better. They come back and try to get away with more.
While Lenovo has posted instructions for turning on the Microsoft Third-Party CA, Mr. Garrett pointed out that doing that will trip up Bitlocker, Microsoft’s backdoored and fake disk encryption setup, and lock you out of your computer, and potentially cause data loss. (It’s happened to me!)
Since flipping off “Secure Boot” makes GNU/Linux work and it’s ridiculous to even attempt to dual boot Windows with anything, since it has always eventually gone on the attack and corrupted the other OS, and turning it off gives you the freedom you used to have to modify your OS to do whatever you want, I persist in saying this is the only correct approach to dealing with it.
So, things have come full circle and the guy who actually accused me of being a conspiracy theorist and Microsoft basher when Lenovo did something far nastier to me, and I went to the Attorney General of Illinois and got that reversed, has co-opted my position about Lenovo from 6 years ago.
The facts about UEFI couldn’t be more of a 180 from what Garrett and other UEFI promoters have been saying over the years.
The code to implement UEFI is gargantuan. The standard that defines it was rushed and based largely on EFI, which was meant for Intel’s failed Itanium CPU architecture.
As such, the implementations were not debugged very well. On top of all of this, the existing “PC BIOS Mafia” of companies like Award, Phoenix, and AMI, was largely preserved.
When PC OEMs go to include a UEFI firmware package, they license an “off the shelf” solution, usually from one of these companies, and then add or remove features from it, much like they did before with the “Legacy BIOS”.
The way these companies got their start was by reverse engineering how the original IBM PC’s firmware (BIOS) worked, and so they’ve been an established cartel since the 1980s.
The problem is that the PC OEMs aren’t concerned about actually securing your computer, or the safety of the data that it stores.
They are more concerned with getting Windows booting and complying with some idiotic Windows sticker program requirements so that they can get kickbacks from Microsoft.
Without these “rebates”, the cost of Windows goes way up and they are at a competitive disadvantage with other PC makers in the marketplace.
Microsoft is also not really concerned with making progress in computer and IT security. The illusion of progress will suffice. Even when it really means that the situation on the ground is backsliding terribly.
Nobody punishes them for it. Governments like the United States federal government release “weak” and “watered down” security requirements and “executive orders” which mean nothing.
Then you hear about another business or government agency getting hit by ransomware, and there’s no gasoline or chickens for a month or so until they pay the criminals in Bitcoin and get their data back.
My last PC without UEFI, a Phenom II X4-based desktop with a “Legacy BIOS”, was very stable and I ran it for years.
I bought it like that deliberately, knowing that Linus Torvalds, the creator of the Linux kernel, spent about a decade with nothing really positive to say about “EFI”, describing it as “broken” and “hacked up”.
As Microsoft has been buying influence and control over outfits such as the “Linux Foundation” (which only spends 4% of its budget on Linux), Linus Torvalds was forced into silence.
He used to call bullshit on public mailing lists about something bad unfolding in the PC industry, and ever sense his forced “apology tour” and “time out”, he’s never really been the same.
(Various elements claiming to be part of the FOSS movement try to stir up shit against important figures to cause strife and conflict, by slandering them in public with spurious allegations, like what happened to Richard Stallman.)
The early days of UEFI were a complete shit show, where all kinds of computers shipping with it would be bricked when trying to use “standard” and “documented” native UEFI interfaces.
Even the PC OEMs shipping with it often knew to hide it behind a “Legacy BIOS” emulator and stop the OS from interacting with it directly, lest even Windows break something, and they would have to warranty the computer.
Fixing computers after they sell them is really not what OEMs want to do. Often on “consumer” oriented stuff, you don’t even get one UEFI update after they sell it.
The only reason why Lenovo ever updated the Yoga 900-ISK2 is because I took action against them. As far as I know, they never fixed any security problems with it, and Ubuntu actually broke that particular model by interacting with the firmware using the Intel Serial Peripheral Interface driver, which was useless for most people, and luckily not even built by Fedora, which is what I was using.
OMG Ubuntu!: Ubuntu 17.10 Breaks the BIOS on Some Lenovo Laptops
Web / Gemini (NewsWaffle) / “WebWaffle”
Aside from the garden-variety awfulness of the UEFI “standard” that you’d expect, given it came from Microsoft and Intel, and is implemented by the “BIOS Mafia” and OEMs, it’s vulnerable to malware that is essentially impossible for Windows anti-virus software to remove.
These “implants” are designed to get into the Windows kernel, patch it in-memory to turn off security features, and then deliver a malicious payload that becomes part of the operating system.
The one detected by Kaspersky appears to have been written by a “Chinese group”, possibly, likely, a state-sponsored one.
To have any chance at all against malware like this, you have to constantly security patch your UEFI firmware, but that too is dangerous and in some cases, difficult.
They don’t make any official flashers for GNU/Linux, and the only way I’ve seen to deal with this on most computers is to make a Windows Pre-Installation Environment USB stick with the flasher on it.
Flashing your firmware is dangerous. You can go from a working system to something totally corrupt that won’t boot. If you’re not in warranty, your OEM will make you pay to ship it both ways and to have the motherboard replaced, which will cause total data loss.
Even if the flash is successful, it often puts in crazy settings that were not the default in the last build, which you have to know to go into the setup program and fix.
If you get through all of that, there will just be more vulnerabilities next month. They’re endless.
Intel is incompetent. Apple gave up trying to fix them and started developing their own CPUs. Every year, Intel has only gotten much worse.
I would love to flash my UEFI firmware to knock out the security vulnerabilities that I know have been piling up since I last updated the firmware in September of 2021, right before switching the computer over to GNU/Linux permanently.
Lenovo UEFI updates require Windows, but the Hiran’s BootCD PE is a bootable Windows 10 on a flash drive.
It’s a gimpy version of Windows 10, but if all you’re using it for is to run a flasher and then get rid of it, it might be tolerable, if only barely.
I’m actually less afraid of Hiran’s BootCD PE and a flasher from some dodgy Chinese UEFI vendor than I am of what Lenovo may have done to “customize” it, given what unfolded in 2016 with my Yoga 900-ISK2, and what Matthew Garrett now admits Lenovo does openly.
I have absolutely no intention of updating the UEFI and risking bricking it, only to find out that Lenovo has retroactively added some new sort of fuckery that prevents my laptop from rebooting into Linux.
I’m not currently having any MAJOR firmware-related issues, which is unusual on a PC, much less a Lenovo, so I’m going to let sleeping dogs lie.
Lenovo shipped firmware so broken on the Release Engineering date just to get the Thinkpad 15 ITL Gen2 out in time for their Black Friday deal in 2020 that it had major problems even handling Windows 10.
Then when the USB-C failed several months in and I had to ship it back for a warranty repair, to their service depot in Texas, they sent it back again with the original firmware on it. Forcing me to update to the firmware that fucked up Microsoft Bitlocker.
So basically, the events that transpired were USB-C failed, back everything up, Lenovo had to replace the entire motherboard, of course.
They soldered the SSD into the old one, so they ship me back a computer with a new motherboard and SSD, exactly in the Release Engineering condition. First thing I do is update the UEFI, and have it trip up the TPM, and cause Bitlocker to refuse to release the SSD contents.
I recover Windows anyway using the “Novo” button and figure out how to get into the emergency recover partition, which isn’t easy, you know, but whatever. The emergency recovery system took about 5 hours to recover Windows 10 for some reason.
I used it for another month and then I patched the UEFI again and the firmware couldn’t find the Windows Bootloader on the next reboot. Emergency recovery mode, again.
By this time, I rebooted into the UEFI and changed the storage mode to AHCI in preparation for replacing the OS with GNU/Linux because I was getting tired of this Windows shit anyway, and reboot.
Microsoft Bitlocker comes up again and tells me it refuses to unlock the disk.
So I proceed to install GNU/Linux using a USB stick I made on my other laptop, and once it’s installed, I go back into the UEFI and disable Secure Boot.
Because Secure Boot can have a “dbx update” that fucks up your ability to load various operating systems, which bit me in the ass on my older laptop once when I tried to boot Fedora after Ubuntu had updated the dbx as part of “BootHole”.
The short version is that UEFI just keeps biting you in the ass, especially if you try leaving Secure Boot on or leaving Windows on the computer, and doing anything at all with the computer to try to have any hope of maybe staying one step ahead of Chinese and Russian UEFI malware implant groups.
If you use Windows 10 or 11 today, it’s really the “Windows 2000 Summer of Worms” all over again, except now you’re practically guaranteed to get UEFI malware putting a rootkit into the Windows kernel and then shoving invisible malware that no anti-virus program will ever detect, and it will probably happen so quickly that you’ll be lucky if nobody gets you on the way to replace Windows.
On top of the “UEFI Summer of Worms”, UEFI just generally isn’t reliable enough to entrust your data to, and you’ll likely lose it several times over, especially if you have Microsoft Bitlocker turned on and try updating the firmware or changing some settings. There won’t be any warning. It will just happen.
You’ll lose your data to Microsoft Bitlocker because TPM state is incredibly fragile and it pretty much panics Bitlocker if someone in the room sneezes.
It even got Garrett by surprise while he was trying to figure out his new laptop, and he says he’s an “expert” on UEFI that understands it quite well and has had paying jobs related to it.
So if he barely has a chance to save his data, and even then only because his system had backed up his unlock key to Microsoft (LOL), what chance do you have?
Real disk encryption never hands the unlock keys to anyone but you. GNU/Linux has real disk encryption.
Windows gives you….a mirage. It hands your unlock keys to the government so if Johnny Law ever comes knocking, your data will be State’s Exhibit A. Meanwhile, do enjoy losing your data over and over and over again. I hope you have backups.
I never had this sort of trouble out of PC BIOS.
Sure they had bugs, but it wasn’t anything like this UEFI mess.
You can install all of the updates you want. It won’t matter. They’ll just cause more problems if you do.
If Intel and Microsoft have proven anything, it’s that they design systems, hardware, and specifications that are so bad that you can patch them until they’re not “supported” anymore and still only barely be any better off than when you had the computer dumped in your lap like it was.
Windows XP is a great example of this. It got patched for over 20 years (including the EOL updates which normal users could only get with registry hacks and visiting Web sites that leaked them out from paying customers), and the security situation still wasn’t much better than it used to be. The same thing happens to all of their products.
Why?
Fixing bugs and making software more reliable is a cost center.
When you want to maximize profits, it’s always easier to dump something in the customer’s lap that only barely works and to actually take care of it as little as you can get by with.
That’s been the way Microsoft and Intel have gotten things done for decades, and it’s not getting any better.
At the same time, Free and Open Source Software has gradually improved because the process iterates as bugs are fixed over the years.
Even if proprietary software companies care about quality (some do), the nature of the proprietary software beast is such that everyone you get to work on it is paid and sworn to secrecy, which limits how much development can get done.
Pretty much the only programmers that try to defend the notion proprietary software and slander FOSS are the ones cashing paychecks building proprietary software that does unethical things to the users.
Dumping broken crap into the customer’s lap and moving right along is exactly what’s going on with UEFI.
By the time Lenovo sells a laptop, especially to Home users who don’t know what firmware is, much less a malicious “implant”, most of the time there are never any security updates at all.
Why would they? From Lenovo’s perspective, trying to fix it up would only cost them money.
Lenovo has demonstrated to me repeatedly that it is far too stupid to patch up my “business class” laptop without tripping up Bitlocker or doing something that causes it to be unable to find the Windows Bootloader. If they update your computer at all, chances are they’ll hose it and get angry customers demanding warranty repairs.
How any of this would make it past even the slightest amount of quality control is beyond explanation, which hints to me that there probably is nobody testing this stuff, and since it can ruin your computer at a hardware level (impossible to fix) if it goes wrong, you’re gambling by installing the updates.
As a Home user, your security doesn’t matter to them. That’s a “you problem”.
A parade of awfulness ensues about half the time you try to patch the UEFI on a Lenovo computer according to their instructions, and that’s if you PLAN to keep using Windows. Just get rid of Windows. You’ll be so glad you did. If your UEFI works at all, live with it.
On a final note, I am very amused that Lenovo bumped the UEFI almost monthly for the first 10 months I owned this “Professional” grade laptop and none of those patches ever fixed the typos in their firmware setup program.
If you watch how many CPU security bugs Intel springs and what has to be done to plug them, and how usually that doesn’t even work and OS vendors have to keep coming back and dealing with the same problem over and over again, you’ll leave with the distinct impression that UEFI updates are likely pointless anyway. Linux can update the CPU firmware at boot anyway, and that’s usually the biggest part of the UEFI update.
In my opinion, only a person of first-order stupidity or corruption could praise Intel and Microsoft knowing what the real score is.
Much less implement their specifications and tell others to use them.
Linus Torvalds said he managed the release for the latest Linux kernel using an “Apple Silicon” (ARM64) Mac using Asahi Linux.
If things keep going the way they are on the Intel PC, I may very well go that direction as well.
It sounds like things are really starting to shape up for Linux over there and I’m sure the computer is less of a disaster if that’s why Linus has switched to one. ⬆