Advanced Search

Firmware Security: Attacks on BIOS, UEFI, BMC.

Fixxx

Fixxx

Moderator
Judge
Elite
Ultimate
Legend
Joined
31.10.19
Messages
1,280
Reaction score
3,903
Points
113
1765439899902.jpeg

Vulnerabilities, attacks and defenses - at a level, where there are no antivirus products...


Introduction

Firmware security is an invisible but critical layer of modern infrastructure. While most engineers protect OSes, containers and applications, attackers have long operated at the zero trust layer - the firmware layer: BIOS/UEFI, BMC controllers, Intel ME, SPI flash and peripheral microcontrollers. Firmware runs before the kernel, has highest privileges and often lacks mechanisms to prevent modification. Compromising the BIOS or BMC allows:
  • persistent access even after OS reinstallation;
  • installing a rootkit undetectable by antivirus;
  • remote control of the system independently of the OS;
  • supply-chain attacks (infection during manufacturing).


Firmware-Layer Architecture

To know where to attack, you need to understand how it’s built.

BIOS / UEFI
  • Located in SPI flash on the motherboard.
  • Loads first at power-on; initializes memory, CPU and devices.
  • Consists of several phases: SEC → PEI → DXE → BDS → OS Loader.
  • UEFI (unlike legacy BIOS) uses a file structure, drivers, protocols and even a network stack (PXE, HTTP boot).
Intel ME / AMD PSP
  • Embedded microcontrollers in the chipset that run alongside the CPU.
  • Have their own OS (Minix-like), network access and full control over memory.
  • Used for AMT, TPM and other management functions, but often abused as a backdoor.
BMC (Baseboard Management Controller)
  • A separate microcomputer (often ARM) that can manage the server even when the CPU is powered off.
  • Uses IPMI, Redfish or KVM over LAN.
  • Accessible from a separate network and often poorly protected (default passwords, outdated web interfaces).


Common Attack Vectors

SPI Flash Manipulation

An attacker gains access (physically or via a kernel exploit) and rewrites the SPI firmware.

Examples:
  • Modifying a DXE driver to implant a UEFI rootkit (example: LoJax by APT28).
  • Replacing the bootloader or injecting Secure Boot keys.
  • Tampering with Boot Guard and the ME Region.
Defenses: SPI write-protect pin, Boot Guard, Signed Firmware Capsule, BIOS Lock Enable.​


Firmware-Level Rootkits

A rootkit is embedded in UEFI, persists in NVRAM, and loads a malicious DXE driver at boot.
  • Resistant to OS reinstalls and updates.
  • Can replace the Linux or Windows bootloader.
  • Can abuse SMM (System Management Mode) to bypass memory protections.
Example:
UEFI rootkit CosmicStrand was implanted in ASUS and Gigabyte firmware, activated during DXE and injected a payload into the Windows kernel.


Intel ME Exploits

Intel ME has direct access to DRAM, CPU and network. Vulnerabilities (e.g, SA-00086) have allowed execution of custom code in the ME runtime.
The danger: Control below the OS level, invisible to monitoring tools.​

Tools:
  • me_cleaner - an attempt to partially disable ME.
  • Chipsec - a framework for platform firmware security analysis and auditing.

BMC and remote management

BMCs are often exploited via:
  • Web interfaces (XSS, RCE, default passwords).
  • Vulnerabilities in IPMI/Redfish (for example, CVE-2018-1207 in Dell iDRAC).
  • Non-isolated management networks.
Risks:

Compromising the BMC = full control of the server, including power, firmware and console.
Case study: the LightNeuron attack on Microsoft Exchange via BMC-compromised servers.


Supply Chain: When Malware is Embedded at the Factory

Attackers increasingly infect the supply chain rather than end systems:
  • Firmware infected at OEM production (example: ShadowHammer, 2019, infected ASUS updates).
  • Malicious updates delivered through signed packages (compromised vendor certificates).
Modern mitigations:
  • reproducible builds
  • firmware signing and secure update channels
  • SBOM (Software Bill of Materials) for firmware components


Analysis and Testing Tools

InstrumentPurpose
CHIPSECIntel framework for testing firmware, UEFI and SPI
UEFITool / UEFIDumpExtracting and modifying firmware images
BinwalkAnalyzing binary images, finding compressed sections and ELF files
FlashromReading and writing SPI flashes
MEAnalyzerAnalyzing Intel ME / TXE regions
IDA Pro / GhidraReversing DXE drivers and UEFI images
RWEverything / AMT ToolsAccess to ME, ACPI, PCI and SMBus devices


Protection and Best Practices
  • Enable Secure Boot and enforce a strict chain of trust (PK, KEK, db/dbx).
  • Use Signed Capsule Updates - only allow verified BIOS updates.
  • Restrict writes to SPI Flash (BIOS Lock, FLOCKDN).
  • Monitor firmware integrity (fwupd, CHIPSEC integrity tests).
  • Isolate BMC on a separate VLAN, keep its firmware updated and disable unnecessary services.
  • Control the supply chain: require signed images and verify SHA256 checksums.
  • Remove or limit Intel ME/AMT when possible (via OEM tools).


Outlook: Firmware Threat Intelligence

Modern APT groups increasingly move downwards to firmware and hardware components.
New trends:
  • Firmware-level EDR - monitoring SPI/UEFI events.
  • Hardware attestation via TPM 2.0 and DRTM.
  • AI-based anomaly detection for BMC and IPMI.
UEFI and BMC are becoming not just vulnerability points, but a new front in cyber warfare.
Where the antivirus doesn't see, only knowledge and control at the platform level remain.


Conclusion

Firmware security is about protecting trust in the computing platform, not just the machine itself.
UEFI and BMC are full-fledged operating environments with network stacks and vulnerabilities.
Understanding their architecture and analysis tools is an essential skill for security engineers.
 
You must log in or register to reply here.
Top Bottom