Aside from the Setup variable issue, which American Megatrends has since fixed, Kallenberg presented another way to bypass Secure Boot which stems from OEMs not using a security mechanism called SMI_LOCK in their UEFI implementations.
The absence of this protection feature allows code running inside the kernel, like a system driver, to temporarily suppress SMM (System Management Mode) and add a rogue entry into the list of pre-approved bootloaders trusted by Secure Boot. When the system is then rebooted, the malicious bootloader would be executed with no Secure Boot error.
Researchers from Mitre developed a Windows software agent called Copernicus that can analyze the system's BIOS/UEFI and report the different security features it uses. They ran the tool in their organization across 8,000 systems and found that around 40 percent of them did not use the SMI_LOCK protection.
Those results are not representative across many OEMs, because Mitre uses a large number of Dell systems in particular, Kallenberg said, but the effort was expanded outside of the organization and around 20,000 systems have now been scanned. The goal is to scan 100,000 systems and then release a report, the researcher said.
Another issue is that even if OEMs release BIOS updates with SMI_LOCK protection in the future and customers install them, Kallenberg estimates that on 50 percent of systems it would be possible for an attacker to flash back an older, unprotected BIOS version from inside the OS.
Pulling off the SMM suppression attack requires access to kernel mode, also known as ring 0, but that's not necessarily a big issue for attackers, Kallenberg said. If an attacker manages to execute malware as a user process with administrative privileges -- for example by exploiting a vulnerability in other software applications or in the operating system itself -- he could install an older digitally signed driver from a legitimate hardware manufacturer that's known to have a vulnerability. Since the driver runs in kernel space, he could then exploit the vulnerability to execute malicious code with ring 0 privileges, the researcher said.
There are also other chipset dependent ways to suppress SMM and modify the Secure Boot whitelist that are still being investigated, but are not ready to be publicly disclosed yet, Kallenberg said.
Over the past year OEMs have started to pay a lot more attention to BIOS security research and have started to react, Kallenberg said. "I think we're finally at a place where you'll see OEMs take this more seriously."
Investigating BIOS security issues in the past was very hard for researchers because specialized BIOS debugging equipment that makes analysis easier costs US$20,000, Kallenberg said. However, the openness of UEFI allows more researchers to look into these problems and, hopefully, over the next few years the most obvious vulnerabilities will be identified and fixed, he said.