There is a perfect cybersecurity storm brewing today in the computing world. Changes in hardware design, along with cybersecurity solutions that are falling behind in protecting against cyberattacks, are converging to create a potential cyber disaster of major proportions, ready to take place at any moment.
On one hand, we have cybersecurity solutions that are not keeping pace with today’s hackers. In spite of more resources being devoted to cybersecurity, cyber compromises are at an all-time high, with even less experienced hackers now gaining access. At the same time, hardware designers are changing their industry standards and direction. This change enables hackers anytime access to hardware - even when it is powered off. The result of this combination is a perfect cyber storm, ready for disaster.
The battle between BIOS and UEFI in hardware design
For years, BIOS has been a firmware standard in hardware design. Over the years however, hardware designers have been moving towards UEFI instead of BIOS.
There are a number of reasons for this move, including increased infrastructure manageability over BIOS. Unfortunately, along with increased infrastructure manageability, UEFI comes with a security flaw; the ability for hackers to gain access to your computer, even when it is turned off.
How this happens is relatively simple. With UEFI, security layers are added in the UEFI stack, with custom web applications added to the stack to control settings.
The problem with adding security layers to the UEFI is it requires many more lines of code to the system’s firmware, into the thousands. These added lines of code can allow hackers remote access to the physical hardware layer of systems today – often even before the operating system is booted. Meaning hackers have the potential to access your laptop, even when it is turned off.
This is a very real problem. At Cyemptive, we are seeing more bugs and remote attacks of this nature, with hackers attempting to gain control over the hardware and sometimes even the full network stack before the operating system is booted. The worms and exploits we see on the UEFI stack are now showing up in the UEFI layer, because they are enabling similar application stacks to be loaded. This in turn causes even more exploits, weakening the security model of something that should be simple is turning into a complete mess.
The failure of today’s cybersecurity solutions
Theoretically, if today’s cyber solutions were able to adequately protect against cyberattacks, the vulnerabilities in hardware design would not be nearly as devastating. But as we all know, with hackers if they think something can be hacked they will, if just for the sport of it. And they are.
The time for hackers to break into any environment is mere seconds and minutes to get data out of a network. Unfortunately, today’s detection technologies are hitting such high false positives and false negatives, it has put the decline on progress on detecting and stopping the elite hackers of the world almost impossible to stop them. Even the less experienced hackers have gotten traction on infiltrating networks and systems with the use of artificial intelligence (AI) tools.
Speaking of AI, there has been much talk about it and machine learning as the solution for cyber protection. The one big comment that most people have about AI for cybersecurity is not explaining that AI stands for “Already Infiltrated” to the elites of the world. AI is too little too late. Even with AI, today’s cybersecurity solutions take days, weeks and even months to identify attacks, while hackers only need seconds and minutes to get in and out with your data. It just isn’t fast enough to solve the problem.
The result is that hackers can sneak past today’s enterprise cyber defenses. Into your hardware even when it is turned off.
What, then, can the industry do?
As a first step, hardware designers should re-think how they approach security. A different approach to hardware security is needed – one that does not include thousands of lines of code in the UEFI stack that allows hackers remote access to our physical hardware layer of systems.
Sometimes simple is best. Legacy BIOS mode has seen less security problems than what is now showing up in the current UEFI implementations, and we believe is a better security alternative than UEFI.
More manageability in infrastructure is a laudable goal; however, enabling hackers to remotely hijack into the system’s UEFI stack before an OS is enabled is the wrong approach to cybersecurity. Legacy BIOS mode is a solution that is both proven and safer than UEFI. Let’s take a step back, and keep the hackers off our hardware, whether it is turned on or off, and consider going back to a simpler approach to hardware security design.