The Secure Boot foundation has once again been shaken by another example of how easily this safety feature, which is supposed to protect against malicious software on boot, can be bypassed. Signed backdoors were found on 200,000 laptop and desktop computers from Framework.
The recent discovery by Eclypsium, a supply chain security firm, raises questions about fundamental flaws in the Secure Boot trust model.
This feature validates the integrity of software packages loaded during the boot process – it ensures that only signed code can execute. However, a signature doesn’t necessarily guarantee that a component can be trusted.
The Eclypsium security researchers have been investigating signed UEFI shells and described one of them as “signed backdoors on 200k laptops and desktops.“
“Signed UEFI shells aren’t traditional backdoors placed by malicious actors. Instead, they’re legitimate diagnostic tools signed with trusted certificates that contain functionality to effectively bypass security controls we’ve built into the boot process. The implications? Systems that have a secure boot process, in reality, do not,” they write.
The select model Framework laptops were identified as containing the “mm” command, a signed shell with functionality to manipulate memory and bypass Secure Boot.
“This command, present in many UEFI shells, provides direct read and write access to system memory. While this capability is essential for legitimate diagnostics, it’s also the perfect tool for bypassing every security control in the system,” the Eclypsium report explains.
Mm shell runs before the OS loads, and this command can read from and write to any memory address in the system, thus bypassing all OS protections and security boundaries. It operates in an environment where modern security controls and kernel protections are not yet loaded.
This and other shells are signed with Microsoft certificates, which implies trust and do not trigger any security warnings. However, they can be abused for persistent access.
Eclypsium disclosed the flaw to Framework, and the company has started releasing BIOS updates for roughly 200,000 computers. The affected models include Framework 13 and Framework 16 laptops with Intel and AMD processors, as well as the new Framework Desktop computer.
Many Secure Boot bypasses were found in the past
Hardware vendors have previously been caught “copy-pasting” firmware code, including a test master key that was supposed to be replaced with a secure one. A single key, shared on GitHub, was discovered to be “protecting” probably millions of devices worldwide. It grants attackers the highest privileges on the system.
Security researchers have also managed to bypass Secure Boot while loading modern Linux Systems – malicious scripts could be injected on boot despite the feature.
To bypass Security Boots, attackers in the wild have been abusing various other bootkits, exploiting vulnerabilities in OS components, including BlackLotus, BootHole, EFILock, and others.
The new Eclypsium report details even more previous problems with the feature.
“The reality is that these capabilities are already being used for malicious or at least grey-area purposes outside their intended use. In the gaming world, commercial cheat providers openly sell UEFI-level anti-cheat bypasses for up to €40 a month, taking advantage of Microsoft-signed components to evade detection,” the Eclypsium researchers said.
The firm warns that nation-state actors or APT groups can abuse similar exploits for espionage, sabotage, or ransomware.
UEFI shells usually serve legitimate purposes, such as diagnostic operations for hardware issues, testing systems, or troubleshooting components. They also provide a pre-OS environment for firmware updates, enabling configuration of hardware settings that aren’t accessible from the OS. UEFI applications and drivers are also used by firmware developers for testing.
“The problem isn’t their existence – it’s their implementation, specifically the trust granted via Secure Boot, and the dangerous commands they expose,” Eclypsium explains.
The firm warns that the trust model based solely on digital signatures is fundamentally flawed, as many components already contain dangerous functionality. Firmware, bootloaders, and hardware components present a wide attack vector for threat actors.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked