UEFI Malware - The Low Level Threat To Millions of PCs

I miss just being an unenlightened user that thought having an antivirus was enough tbh

SkyenNovaA

from SSH to UEFI my ass is cooked, time to save my stuff on DVDs

benjamonsrl

LOL who would have thought that 100MB of rewritable bare metal proprietary code could have repercussions? smh.

jeremiahbullfrog

With some motherboard vendors, installing a BIOS update makes your PC 100% secure because it doesn't boot anymore.

_trichosurus

How ironic, the "Trusted Platform Module" had the vulnerability.

kper

Worst thing is that there is probably a fair number of laptops with this vulnerability that are old enough that the manufacturer might not bother to put out a bios update.

olnnn

Early 2016 the US government was heavily stressing a need to access personal encrypted devices. a year later (2017) KabyLake (the earliest intel code name mentioned) has this uefi vulnerability? Probably coincidence.

ImplicitFlower

Oh no. Is the safe & absolutely required TPM is actually not safe. Who would've guessed.

trashviewer

The last time I did a bios update, my laptop lost the ability to undervolt.

HunterKiotori

One big problem with this type of exploit is that most motherboard manufactures stop putting out BIOS updates after a few years (at most), long before the useful lifetime of a computer ends, so even if you want to update the BIOS, for 10s (perhaps 100s) of millions of PCs, there is no update to fix this problem, because the motherboard manufacturer already abandoned updates for the motherboard in your computer.

wildbill

you keep blaming users for not updating firmware, but manufacturers are 10x worse about never making updates available at all ever.

acmhfmggru

From Web browser to UEFI, software needs to be free

RoofusRoof

UEFI seems fundamentally insecure as it's able to be flashed/modified from the OS which makes me really not understand why they rate these kinds of vulns are requiring physical access rather than remote control of the OS. Most if not all PCs sold are by default able to flash the BIOS from the OS either from the update software from the vendor or through Win Update at least in the case of my Dell 3793 firmware. Frankly I think the state of PC security is far worse than we're lead to believe from the big vendors and security research firms and the prevalence of RATs/botnets alone should scare a lot of users. I could say a lot more but anyone affected by the kinds of sophisticated remote 'hacks' and malware used since at least 2020 or so is aware of how bad it is.

Demoralized

We need those physical write protect bios toggles again lol, so many hits to linux / open source recently

sandcat

This stuff makes me understand why the Libreboot dev is so against UEFI, so much attack surface.

lucasm

The Astolfo as evil maid, that was out of nowhere.

creato

i updated my bios once, i just remember crying and hoping my power didnt go out while flashing it.
same when i had to update my buddy's bios for his new cpu xd

beansbeans

Add in the exploits where a bios's can configure a network card and download an update without using a usb stick. The BIOS in this machine has that capability .

muhdiversity

0:05 I can't trust people that pronounce bios like that. 😤

TimboSlice

just bought a refurbished lenovo mini. The worst part is that the idiots at lenovo, hp, dell, etcetera release firmware updates by windows binaries, I have years of not using windows.

raportmercado