wanna learn how computers work? learn to code at lowlevel.academy

Jokes on you my motherboard is so old it predates this problem

Ok i guess i will just carve a new rock myself and hope no one will hack it

> Makes UEFI to solve security exploits in BIOS > Look inside > Exactly the same exploits BIOS has, but more flexible what did they mean by this?

As soon as TPM was mentioned, I knew this was not a bug or mistake. This is a backdoor.

Since I am 73 years old I have seen a lot of computer history. We know that over the years computers have become a lot more powerful, and have a lot more features, a lot more memory and a lot more storage. This has resulted in software of all types becoming a lot larger and a lot more complex. The result is that now nearly all software has unknown and undiscovered vulnerabilities. It is now impossible to eliminate all vulnerabilities. All that can be done is a lot of testing to discover the latest vulnerability.

TempleOS affected :(

When the title said the vulnerability lasts forever i thought you meant it was a hardware bug. Got me scared for a sec.

The fact that we keep inventing negative rings is also a problem. Everything old is new again. Hardware from the 80s used to have a hardware inhibit on floppy drives to prevent, at the hardware level, writing to a disk. Some of the early EEprom motherboards you had to move a jumper to allow the hardware to write to it. Perhaps this should be a new feature. I see that in the Pi4 and 5 you can update the "bios" from a linux command. Write protection at a jumper for this would be nice.

Isn't it fascinating how all of this newfangled stuff has these ultra super secure "new" features that we later find have convenient oversights on that secure feature that allow someone in the know complete access to a device?

Feature not a bug. Say hello to NSA.

As a firmware developer: UEFI needs to go away. All vendors use basically the same stuff under the hood: EDK2 and FSP (Firmware Support Package). Problem is that EDK2's codebase is not only atrocious, people (or companies) usually work on their own forks and don't contribute it to upstream. Vendors like AMI, Phoenix or InsydeH2O use EDK2 versions that are several years out-of-date (last time I checked, from ~2018). That's why you see so many vulnerabilities in UEFI recently. Vendors basing their products on several-years-old releases, adding their own EFI drivers/apps (yes, EDK2 is basically an operating system that starts your operating system) and ship it to OEMs, who then ship it to users. So to fix the vulnerability vendor has to re-base their code on newer release (or patch it by hand), ship frameworks to OEMs, OEMs need to re-base their configuration on new version of frameworks (GPIO etc) and ship it to users, who need to go trough process of updating it (and we know how many people simply... don't). That's why opensource firmware is important, and should be more popular. Such as coreboot, u-boot and so on. As for this exploit, it likely won't "last forever". Most consumer motherboards use fTPM solutions (like Intel's PTT), which gets wiped on CPU swap (assuming the desktop) - same with SMMSTORE (NVRAM) or CMOS. On laptops however it would be a lot more tricky, but vendor can choose to wipe SMMSTORE on update, as well as TPM (though it would anger quite a few users who would need to find bitlocker recovery keys and whatnot).

"Name the vendor of your motherboard's firmware" AMI. I haven't seen a computer sold with Phoenix BIOS as the firmware vendor in like 10 years.

The way Ed's face lights up every time he gets to say "low level" is the kind of passion I aspire to have for something

This was predicted when EFI was first rolled out. EFI is way too complex with not enough eyes on it, and EFI (+ TPM) has always looked like a US gov project. It did not actually solve any problems, unless you problem was how to compromise all machines in perpetuity.

its some kind of sick joke that the bug is in their implementation of TPM which was made to increase security. sometimes complexity itself is the weakness in security, but i guess thats another (less talked about imo) part of the human weakness in security,

3:37 i can't get over that split second expression you made oh my god

this is easily the best cyber security podcast / channel i've seen and i have very high expectations as someone who takes this job very seriously and wants to learn as much about hacking / offsec as possible. No nonsense just straight facts and interesting information presented in a well understandable manner. Great work.

It's possible to write code that's literally proven formally to not have bugs like this, and it's wild to me that manufacturers don't do it. This UEFI code is the perfect candidate for formal verification. No future remediation path for bugs, universally appears in every product your company sells, and the cost doesn't even change much, since you're already hiring the kind of specialist firms that can do formal software verification. A no-brainer decision for motherboard manufacturers.

I find it kind of humorous that an exploit that enables ring -2 privileges is treated as serious but Intel ME and AMD PSP is fine according to manufacturers.

0:02 "On your computer" *shows an image of my exact setup*

You forgot the part where it stays forever. It has to persist somewhere, either in the NVRAM or flash, so erasing both of those would remove the compromised code

I've often wondered about the exposure to UEFI bugs after support ends. (same story for CPU microcode updates, and even wireless keyboards need security updates) Realistically, support must taper off approaching the published date. After support ends, Phoenix or AMI may come up with critical fixes, but licensees (like Lenovo) will be less inclined to release updated firmware for affected older products. The bug fixes are of course rich with information to compromise older products that will never be updated. Seems like a shame to stop using perfectly functional computers.

3:22 the "Lake" is part of the codenames for many Intel CPUs. The oldest name I see in that list is Kaby Lake, which is 7th gen

Never trusted TPM.

That's not a bug, but rather an intentional feature.

I understand that KZbin changed its monetization rules. But, at best (or worst) it’s a phoenix related bug (that might affect you or not)… and it lasts as long as you don’t update your firmware, which nowadays is a peace of cake (compared with what it was prior UEFI). So, yeah, next.

Coreboot and Libreboot need more devs!

Title is very clickbait, especially given that firmware can be updated and AMD does have a marketshare.

Love when multiple once-in-a-lifetime exploits are found in the same year

That's super neat. Thanks for a good upload, man!

System76 uses coreboot ...but not only that...they provide the code for the E.C. microcontroller in case even that needs an update...it would be great if you can interview their engineers

At this point I might as well just make my own CPU and MB! Fuck it....

The idea that a vulnerability in UEFI wouldn't be 90% a backdoor is unthinkable to me

"911 what's your emergency" "My computer ain't computering"

jokes on you, I don't have TPM

Went the AMD way with my new build a month ago for the first time in 20 years - that decision seems better every day.

Dude great video as always ,i would like to share a tip:it would be alot better if you would have mentioned that the getvariable function according to the UEFI specification would update datasize to the size of the variable. Assume that the viewer is unaware about such seemingly well defined functions. I personally was confused at first as i didn't consider the possibility of getvariable being a part of the standard specification.

How is it exploited? Do you have to run a code on local computer, or can you do it over a network? Do you need admin rights? How do you check if it affects you? Is there a way to mitigate it if an update is not available?

There's this logo which showed on pretty every mobo until recent years, I found out that most of bioses were made by the same company, manufactures just made graphical choices for their brand - why would you code something that low level, with all the catches and problems, use someones better work...but then, you got single point of failure lol

Isn't this kind the point of Coreboot/Libreboot to avoid vendor abandonment of UEFI updates and to give open source scrutiny to the boot process (binary blob aside)? Also would be interested in your opinion of the root of trust silicon opentitan earl grey chip. Seems like an interesting topic for the channel.

UEFI applications written in Rust using the UEFI crate are definitely bounds-checked at compile time as I've witnessed firsthand attempting to use it that way. As for the firmware itself, that remains to be seen; in assembly, it's definitely easy to go wrong.

No wonder Microsoft was pushing TPMs so hard with W11 /s

Every time I watch a video on this channel I am exponentially more paranoid for like 2 days 😂

TPM was made by Microsoft and made it mandatory for windows 11 as a security measure. That just sounds like one another intentional backdoor by MS and NSA again

Throwing 5grand around like its nothing

Removing the 'T' from 'TPM'

No need to worry, I have an old motherboard which uses bios and not uefi

Yes. Super Low Level 1. UEFI is an Operating System, Minix, an assembly language version of Unix. UEFI has its own network stack, communicating without your knowledge. (SeaBIOS). 2. TPM (Hardware Hash Storage and Verification module), DOES NOT verify all of the code, ex. BIOS hash is not stored on the TPM by design. Any code not verified by the TPM could be modified by an attacker, and the system will not alert you to the change.

I know of 3 companies that make and sell UEFI firmware: AMI, Phoenix Technologies and Insyde software. The InsydeH2O seems to be somewhat common on laptops, AMI is pretty ubiquitous in the retail motherboard scene, unsure where Phoenix seems to be also in many laptops.

Running an I7-4790 here from 2014. It's a Dell 9020 machine and the last generation that would let you run in legacy mode. (Bios). So my Linux runs without UEFI.

Certified NSA classic

"Local hacker" makes this a sorta moot thing. Simply because if the hacker can touch the machine, all bets are off. If this was somehow remote executable I would be worried.

It's frightening to think how pervasive and deeply rooted such vulnerabilities can be, especially in an area as key to our digital infrastructure as UEFI firmware.

Let's call it what it is: a successful NSA supply chain attack.

Love your videos, keep it up! I've learned lots

More I see... More I assume that the safest online experience, is never going online at all xD

Been working at kernel level and UEFI level for a while now in order to create cheats for videogames which require at least kernel level but ofc most people go full on UEFI cuz it's way more difficult to detect, i reversed part of my UEFI firmware and i know people who did that too and they found a shit ton of vulnerabilities, last time i was looking at an SMM backdoor that allowed people to execute arbitrary code from USERMODE at ring -2 pretty scary tbh. I wish there were more people able to write/read UEFI code because if the kernel allows you to use a lot of functionalities regarding the pc UEFi allows you to use every functionality of your pc, pretty much freedom as long as you are able to code UEFI firmwares.

as someone currently working at a major computer part manufacturer Fuck

Compared to your other videos, this one appears all over the place. Example - 1. "The vulnerability is very simple." That preps my brain to see what it is. But we go down immediately instead of discussing the vulnerability, what is static analysis and dynamic analysis - which my brain is not looking for at the moment (especially since I can sort of guess what is automated binary analysis and am less interested to know about it than the vulnerability itself). 2. "Now you may be asking whether rust would have helped." No. I mean that is a valid question I suppose, but way down the list of questions I'd ask.The first thing I'd like to know is if and how someone can target my PC. Can they do it remotely? Can they do it if they have access to my OS? Do they need root access? Or do they need to install an UEFI bootloader for this? Etc. Before even asking if rust would help, I'd like to know whether the UEFI code is being fixed for new computers. Can it be changed to other languages? And maybe if they are planning to replace c++ (or c, whatever they currently use), with rust. Then what are the pros and cons, including, only at this point, if rust would help given that it protects from these things.

1:55 UEFI is not a new version of BIOS, it's entirely unrelated and comes from the EFI firmware used to boot Itanium-systems

Please do content on the Blacklotus Bootkit. Sounds fascinating.

I always hated the new UEFI BIOS. now I have a valid reason

BIOS code injection has been around forever. And it doesnt give the hacker access forever, simply updating bios or if you have flashback run that.

Pfft glad i have went back to an Amiga for my everyday computering

three letter agencies calls it a feature

UEFI is easy to hack. I have bypassed most security features with relative ease in my quest for more control over exactly what my hardware is doing and for the ability to run UEFI images with my own drivers and features. One such feature is control over gpu voltages in older nvidia rtx laptops

Oh, I don't even have TPM lmao And I have an AMD processor And I have an AMI BIOS

*laughs in manually entering punch cards to do anything*

Uhhm, time to check the status of CoreBoot again

Thanks for reminding me, I had totally forgot to update my BIOS and ME, did it now. Even though it's safer these days to update your BIOS (with the ability to roll back and such) versus the old days, it still made me panicky. So I sat like 0_0 until everything completed xD

You only mentioned Intel-CPUs. Are AMD-CPUs also affected?

Incredible video as always

oh look they found the goverment backdoor

I’d like to see more about the bootkit

So AMD platforms not affected?

You don't need runtime checks to zero-out cursor offset, goddamit. Open source and let users to compile it so they could fix those issues or expect people would be angry at you because you're the only actor who knows how to fix this.

There are rings below 0?

Thank you very much. Very informative.

It does not matter. The whole point of secure boot was not to actually secure your OS, it was to stop you from installing Linux on a Windows PC. They could not do it because of legal reasons. You need to get physical access to it do get this attack to work. It's pretty useless for a hacker who does not want to break into people's houses to get their computer and then steal their data.

Motherboard : HP 1409 CPU : Sandy Bridge I3 GPU : MSI GeForce GT 720 RAM : Hynix 4GB DDR3 (Single-channel) Storage : Kingston SSD 480GB

does an attacker need physical access to the pc ?

Please we need a Full Reverse engineering of Black lotus in a live

This is bad, but I still think Intel Management Engine is worse.

I'm so glad my BIOS is open-source 😊😊😊 (I can't play video at 20fps because my CPU is from 2006)

Not a bug but a backdoor

Having bios/uefi backups/secondarys in motherboards needs to become more standard so everyone can safely just update it when stuff like this happens. I always keep mine up to date but one of my motherboards did get bricked a few years ago because of a power outage and that board didn't have a backup system for it which sucked, it's fixable but I would have to get a new chip for it and solder it on.

Couldn't this be dealt with simply by re-flashing the UEFI? BIOS malware before was relatively easy to just flash over. I mean of course to remove the hacker's access. Not to remove the vulnerability itself.

Coreboot, people. Plus HEADS if you want to detect physical tampering. Install it yourself (advanced users only. And I know you see that all the time but it's true for this case) or get a computer from a manufacturer who installs it for you. NitroKey, NovaCustom, System76 (more PC options than the other two, no HEADS).

"Secure Boot" being insecure is just too funny

My 8 years old second hand HP Elitebook got the update to fix this a month ago. (10th June)

Wait until you hear about the devices connected directly to your memory that also has firmware you can't inspect (HDDs, nvme drives, network cards, etc)

I had an ASUS F2A85-M with Coreboot back when socket FM2 and Athlon was "modern".. I think it has merit to look if UEFI was really the right way, especially when you realize that ALL computers have a management console running on their PCs. At all times. Even when the PC is "off". Without their knowledge. At Ring -1 level.

Man I love unsafe code!

I love the "but what about Rust" part

but how the bug can be exploited? like is that bad that downloading pirate software, a virus can get in my UEFI with the highest privileges? or is like the NSA have to install a chip in your PC to exploit it?

My approach: Security by Legacy 🤪

0:35 its not forever, I can rewrite the nvflash

Does this effect CoreBoot users? I use a System76 Pangolin with Gentoo on it.

wake up babe new vulnerability xd