Securing BIOS Firmware: Common Pitfalls and Best Practices

man overlooking pits

BIOS firmware is the software responsible for initializing your computer’s hardware before the operating system (OS) takes over. As the first code executed during startup, its security is critical to overall system security. A compromise at this foundational level can potentially jeopardize the entire system’s security and stability. When BIOS firmware is compromised, the results can be severe. Attackers can gain backdoor access, steal sensitive data, or even render devices inoperable, a state commonly known as “bricked.” High-profile attacks such as BlackLotus and LogoFAIL highlight the devastating potential of these breaches and illustrate how attackers can bypass conventional BIOS security measures entirely.

The Security Risks of Compromised BIOS Firmware

BIOS firmware plays a crucial role in a computer’s security architecture and can lead to significant security risks. These include:

  • Backdoor Access: Attackers can insert persistent backdoors into BIOS firmware, allowing them to bypass OS defenses. This access enables unauthorized control, facilitating actions like data theft or further exploitation without detection.

  • Data Theft: With BIOS access, attackers can extract confidential information from the system. This includes sensitive data such as credentials, financial details, and other personal information, which can be stolen and transmitted undetected.

  • Bricking the Device: A compromised BIOS can render a device unusable, or “bricked,” meaning the system may fail to boot or operate correctly. This can result in data loss and substantial operational disruptions. The Saudi Aramco breach is a well-known example.

Real-World Examples of BIOS Firmware Attacks

BlackLotus

BlackLotus is a sophisticated BIOS rootkit that has emerged in recent years. Operating at a deep level within the system’s firmware, BlackLotus is exceptionally challenging to detect and eradicate. It can survive OS reinstalls and hard drive changes, giving attackers persistent control over the infected machine. This rootkit allows attackers to maintain continuous access and monitor or exfiltrate data over extended periods. In addition, BlackLotus can even disable Secure Boot, meaning that hackers could potentially launch a rogue OS, taking complete control over the endpoint.

LogoFAIL

LogoFAIL is a vulnerability discovered in UEFI firmware that affects the way logos or images are loaded during the boot process. This vulnerability allows attackers to exploit the UEFI firmware by placing malicious code in the logo image, which can then execute with high privileges early in the boot process. The vulnerability arises from improper validation or handling of image files, allowing attackers to bypass security mechanisms such as Secure Boot. LogoFAIL is particularly concerning because UEFI firmware operates below the operating system, and malicious code introduced here can persist even after reinstalling the OS or swapping out the hard drive, making it a powerful tool for persistent threats. This underscores the importance of securing the entire software stack, including seemingly harmless components like logo images, as part of a comprehensive UEFI BIOS firmware security strategy.

These are just 2 examples which highlight the need for reliable BIOS firmware security and show how compromised BIOS can lead to severe security threats, making vigilant updates, remote configuration, and real-time monitoring indispensable.

Common Pitfalls in Securing BIOS Firmware

Neglecting Firmware Updates

One of the most critical yet often overlooked aspects of BIOS security is keeping the firmware up to date. Firmware updates are essential as they address known vulnerabilities and introduce security patches. Failing to apply these updates can leave systems exposed to exploits that target outdated firmware. Attackers often seek out systems with unpatched vulnerabilities, making regular updates crucial for maintaining system integrity and protecting sensitive data.

Misconfigured BIOS Settings

Proper BIOS configuration is vital for maintaining system security. Common misconfigurations include disabling Secure Boot, which is designed to prevent unauthorized operating systems and bootloaders from running. Without Secure Boot, systems become more susceptible to rootkits and bootkits that can bypass standard security measures. Correctly configuring BIOS settings, such as enabling Secure Boot and restricting boot options, is essential to defend against unauthorized access.

Overlooking Firmware Integrity

Maintaining the integrity of BIOS firmware is crucial as malicious alterations to the firmware can persist even through system reboots or reinstalls. Regular checks using tools such as FirmGuard are necessary to verify that the firmware remains unaltered. This includes using cryptographic signatures and hashes to ensure that the firmware is authentic and has not been tampered with. Regular integrity assessments help prevent long-term control by attackers and safeguard the system’s security.

Using Legacy BIOS Mode

Legacy BIOS mode, also known as Compatibility Support Module (CSM) mode, lacks all of the key security features found in UEFI mode (the modern standard). For example, features like Secure Boot, which prevents the execution of an unauthorized operating system, are not available in Legacy mode. This makes systems running in Legacy mode extremely vulnerable to firmware level attacks and the safest course of action is to remove these old endpoints from the IT environment and replace them with modern systems that all run in UEFI mode by default. 

Best Practices for Securing BIOS Firmware

Regularly Update BIOS Firmware

To secure your BIOS firmware effectively, check for updates from your hardware manufacturer’s website. Download the latest version compatible with your system and follow the installation instructions provided carefully to ensure a smooth update process. Leveraging tools, like FirmGuard, can help manage and apply these updates securely, reducing the risk of vulnerabilities associated with outdated firmware.

Secure BIOS Configuration

Configuring BIOS settings correctly is essential for system security. Enabling features like Secure Boot helps prevent unauthorized operating systems from loading. Limiting boot options to authorized devices further enhances security by preventing the execution of potentially malicious code during startup.

Monitor and Verify BIOS Firmware Integrity

Regular monitoring and verification of BIOS firmware is critical to detect unauthorized changes. Implement integrity checks using cryptographic signatures and hashes to ensure the firmware remains authentic and unaltered. This proactive approach helps maintain system reliability and prevents persistent threats from compromising your security.

Legacy BIOS Mode Detection

Identifying and transitioning systems from Legacy BIOS mode to UEFI mode is crucial for endpoint security. Legacy mode lacks all of the key security features available in UEFI mode (the modern standard), making systems extremely vulnerable to attack. Any endpoint running in Legacy mode is effectively obsolete and the safest course of action is to remove these vulnerable endpoints. The challenge however is how to easily identify which endpoints are in Legacy mode and thus in need of replacement. 

How to Secure Your BIOS Firmware Using FirmGuard

FirmGuard provides a comprehensive solution for remotely securing, configuring, monitoring and updating BIOS firmware. FirmGuard enables remote BIOS configuration (SecureConfig) so administrators can easily optimize BIOS settings, by for example, enabling critical features such as Secure Boot to strengthen defenses against unauthorized access and malware.

Additionally, FirmGuard ensures BIOS firmware security threats by continuously monitoring changes to the BIOS and alerting an administrator whenever some potentially malicious activity occurs (SecureCheck). For systems still operating in Legacy BIOS mode, FirmGuard identifies these configurations and supports the transition to the more secure UEFI mode (SecureSense). This proactive approach not only mitigates risks from an enterprise point of view, but also sets your services apart for MSPs, driving increased revenue by providing superior security solutions and peace of mind to your clients.

Want to see FirmGuard in action? We’re offering a free, 15-day no-strings attached audit where you can deploy FirmGuard and see it in action. You can book your audit here.

Want to See FirmGuard in Action?

We’re offering a free, 7-day no-strings attached audit where you can deploy FirmGuard and see it in action.

Your audit will include:

  • A BIOS firmware security assessment to identify gaps for each registered endpoint (your own and all of your client endpoints).
  • Free use of all FirmGuard features for 7 days.
  • Peace of mind knowing you have closed a major security gap.
FirmGuard dashboard

WHO WE SERVE

THE FIRMGUARD PLATFORM