Is your UEFI/BIOS firmware vulnerable to cyber attacks?

Discussion

Keep your UEFI/BIOS firmware up-to-date

Over the years, I've read many forum posts—on many different forums. On the subject of UEFI/BIOS updates, the "common sense" position leans towards, "If it ain't broke, don't fix it."

In other words, unless you experience issues with your PC—don't upgrade the UEFI/BIOS firmware.

To be fair, carelessly upgrading the UEFI/BIOS firmware is risky. Few actions cause a greater risk to "bricking" your system. But, taking precautions will mitigate those risks.

  1. Always perform upgrades on AC power (not built-in BAT); preferably, while connected to a good UPS (Uninterruptible Power Supply)

  2. Read and follow the directions before running the upgrade.

  3. Monitor the entire upgrade process.

  4. Be patient. Don't try to cancel (or hot-stop) a UEFI/BIOS upgrade.

Keeping your UEFI/BIOS firmware up-to-date, not only adds features and fixes known issues, but it provides security patches.

Risks of keeping old(er) UEFI/BIOS firmware

Despite conventional wisdom, vulnerabilities and exploits exist for UEFI/BIOS firmware. Usually, they require physical access to the host machine. But, in a supply-chain or phishing attack, the host machine's owner acts as a proxy for the attacker.

I've warned of these risks for years. Until recently, my warnings were received as conjecture and paranoia.

Not anymore.

8 months ago (CVE-2023-40238)...

For deep-dive, please see LogoFAIL: Security Implications of Image Parsing During System Boot (duration 44:14)

3 months ago (CVE-2024-0762)...

What do you think? Do you keep your UEFI/BIOS up-to-date?

8
9 replies