Definition
A unified Extensible Firmware Interface (UEFI) rootkit is malware targeting UEFI firmware on a computer’s motherboard.
UEFI replaces BIOS (Basic Input/Output System) and handles hardware initialization during the boot process. It also ensures smooth communication between the operating system and hardware components.
Once it infiltrates the firmware, the UEFI rootkit establishes persistent and covert control over the system. Unlike other rootkits, it hides in a privileged position in the computer’s firmware, making it difficult to detect and remove.
The UEFI rootkit can control the system’s boot process, allowing it to insert malicious code before the operating system launches.
As a result, it can intercept and alter system calls, disable security measures, steal sensitive information, or even install other malicious software.
UEFI Rootkit Prevention
UEFI rootkit protection needs a multi-layered approach:
- Regular firmware updates: Ensure your UEFI firmware is always up-to-date with the latest security patches and fixes.
- Secure boot: Activate secure boot in the UEFI settings. This authenticates the firmware’s digital signatures to prevent unauthorized modifications.
- System monitoring: Use behaviour-based monitoring tools and intrusion detection systems to detect suspicious activity at the firmware level.
UEFI Rootkit Attack Examples
- Firmware-based rootkits: Invisible Things Lab, a cybersecurity research group, discovered firmware-based rootkits that specifically infect Apple MacBook laptops.