Wake-from-sleep vulnerability leaves UEFIs open to attack

Most modern motherboards support firmware write protection to prevent unwanted BIOS flashes, but a vulnerability in many UEFI firmware implementations could accidentally disable such protection. A new warning posted by Carnegie Mellon University's CERT says that when many x86-based systems wake from sleep, they fail to enable that write protection .

The security hole opens when an affected system goes to sleep and then wakes up. Many Intel-based x86 systems use a specific flag stored in a BIOS register that controls write protection. When the bit is turned on, the BIOS is write-protected—but that bit is turned off by default. Every time a PC resets, this register is also reset to the default state, and it's up to the BIOS to set it correctly. When a PC sleeps, the wake process is treated as a hardware reset, so the register resets in turn. Many BIOS implementations don't flip the write-protect bit again, so after a sleep-wake cycle, write protection is disabled. 

CERT lists several vendors who may be affected, including Dell, Lenovo, and Apple, and also lists BIOS vendors like American Megatrends and Phoenix, whose BIOS implementations are found in many other systems. Apple and Dell have confirmed that at least some of their systems are affected. In response, Apple has released an EFI security update, and Dell has provided CERT with a list of affected systems. Dell customers should visit the company's support site to get their system's latest BIOS. 

Amid the torrent of vulnerabilities uncovered by the Hacking Team leaks, Trend Micro warned of the gray-hat developer's UEFI rootkit, which could infect motherboards with a nasty bug. One of Trend Micro's suggestions is to make sure that one's BIOS is write-protected, but for systems affected by this sleep-wake flaw, write-protection wouldn't be enough. Another of the anti-virus maker's suggestions is to install any new BIOS with any security-related updates that might be available from your vendor. We think it'd wise to visit your motherboard vendor's support site and look for updates.

Ben Funk

Sega nerd and guitar lover

Comments closed
    • mFvwv0zduc
    • 6 years ago

    For my motherboard (AsRock FM2A75 Pro4) there was no BIOS update since 2013. Nice…

      • Nevermind
      • 6 years ago

      Bah, doing you a favor.

    • HisDivineOrder
    • 6 years ago

    This is why UEFI is bad. It’s too complicated. A BIOS needs to be extremely simple. It needs to start your computer up. It don’t need mouse support. It shouldn’t be in 4K resolution. It shouldn’t have music or allow you to connect to your wifi and watch a movie.

    It’s a BIOS. It starts your computer. Keep it simple, stupid.

    Or suffer from bloat and insecurity.

      • Deanjo
      • 6 years ago

      Dude, even simple BIOS’s were easily exploited.

        • Nevermind
        • 6 years ago

        But that’s his point too, the more complex you make them the more ‘holes’ you open up.
        The more versions of the BIOS you need, the more testing required, the more likely something will get overlooked anyway… and the greater effort required to patch when vulns discovered.

        UEFI is not the holy grail of the basic input output system, it has its flaws and features too.
        If you can accomplish some of those features without adding bloat/holes, win/win.

        But his point is that putting bells and whistles in the BIOS function is not helpful, I’d agree.
        Who needs a mouse to navigate a BIOS? Nobody does. Who needs 4k resolution? NOBODY!

        If they spent the time developing those “features” on other more basic and integral aspects..

          • Deanjo
          • 6 years ago

          The solution is again not to depend on vendor supplied closed firmware. What is needed is an open firmware solution that all manufacturers must adopt. We have seen what this can do for the reliability of a product with the example of routers. Thanks to their openness, most routers are seeing extended secure lifetimes now.

      • Krogoth
      • 6 years ago

      BIOS is ancient artifact that we needed to away from.

      UEFI is so much better. Hardware vendors are just barely tapping into its potential. This kind of attack vector isn’t new at all. Secured UEFI makes this attack vector difficult at best.

        • lilbuddhaman
        • 6 years ago

        [quote<]Hardware vendors are just barely tapping into its potential. [/quote<] And they won't. Meanwhile the NSA backdoors built right into the UEFI specs means hackers are "just barely tapping into its potential" with much more exciting vulnerabilities waiting to be found.

          • Krogoth
          • 6 years ago

          You realize that NSA doesn’t put backdoors in customer-tier hardware? Drives up costs and it doesn’t fit their MO.

    • Bauxite
    • 6 years ago

    Whatever happened to hardware jumpers on the write lines for important things? We’re getting way too sloppy with design it seems…

    Nothing to exploit when the extra pin on the chip required to complete the write circuit does not receive any current.

    • anotherengineer
    • 6 years ago

    Does this affect old school BIOS’s?? Doesn’t really matter either way since I have my PC in “performance mode” and set to never sleep or hibernate anyway.

    Interesting bug though.

      • Deanjo
      • 6 years ago

      It is an interesting bug but it to actually be exploited the chances are pretty small. You still have to have console access to the machine in the first place. While 007 would like to have you believe that this happens all the time the chances of the end consumer every really seeing this exploited on them is pretty damn small (unless the NSA is watching you).

        • Bauxite
        • 6 years ago

        1 good driveby download pwns your box because you waited too long to update flash or whatever (or were a pre-release victim) and instead of just wiping the drive now you need a JTAG or new eeprom chip? You can’t trust any built-in or software based reflash tool after that if they know what they’re doing.

        All it takes is one exploit kit writer to go to the trouble and put a working POC on the scumware market, and they will all start doing it….tbh I’m really not sure why no one has yet.

          • Deanjo
          • 6 years ago

          I’d be more worried of someone just picking it up and stealing it.

          • Nevermind
          • 6 years ago

          Mobo makers need a ‘flash bios write allow’ switch, a physical switch, on the mobo.

          Nothing else satisfies.

            • Deanjo
            • 6 years ago

            Unique proprietary key switch. Think of it as a locking lug nut for your BIOS.

            • Nevermind
            • 6 years ago

            Vendors should also include brain teaser quizzes to the bios flash procedure.

            “You must be this tall to flash the BIOS”

        • Krogoth
        • 6 years ago

        Bingo.

        If you attackers have physical access to your computer, then all bets are off.

        Physical layer is the final and most important layer in any security schema.

    • Anovoca
    • 6 years ago

    Time to go back to 3D Maze.

    • UnfriendlyFire
    • 6 years ago

    I’m pretty sure my laptop manufacturer isn’t going to be releasing anymore BIOS updates in the future for my laptop. They released 6 updates since the laptop launched in mid 2013.

    EDIT: They still haven’t fixed a bug where booting from USB stick or external HDD on UEFI results in an infinite reboot or an error message, even with Secure Boot disabled. Which makes OS installation on UEFI complicated.

      • Deanjo
      • 6 years ago

      That’s actually pretty good compared to most laptops. The usual is maybe one or two updates.

      • derFunkenstein
      • 6 years ago

      Some of those updated Dell models go back to 2010, so the least your notebook’s vendor can do is show a little courtesy. I have a Latitude E5420, a Sandy Bridge-era business model affected by this flaw, and updated the BIOS last night.

        • Deanjo
        • 6 years ago

        Business models are the ones most likely to see the fix. For the majority of the consumer class stuff it is unlikely that it will be addressed (especially from the likes of companies like Acer).

    • Dizzytaz00
    • 6 years ago

    This makes think now staying with gigabyte dual bios motherboard on my next build.

      • Nevermind
      • 6 years ago

      If one of the two is compromised it will probably get the other if you’re not forensic about it.

        • Dizzytaz00
        • 6 years ago

        Let just telling you this that there very hard to crash. ( I did crashed both bios on one gigabyte motherboard. How? Sorry i’m not going into detail.)

          • Nevermind
          • 6 years ago

          Yeah but if you get windows infected, then switch to the alternate BIOS…

          I’d say your chances of hooing up both BIOS goes up.

    • Meadows
    • 6 years ago

    I used to use sleep-wake cycles often but I’ve grown accustomed to simply never turning off the computer in these past few years, so I guess I’m safe as there’s never a “wake” event.

      • anotherengineer
      • 6 years ago

      Mine is off most of the time. Only start my home PC when I use it. Poor thing sometimes only gets booted up once a week, sometimes for maybe an hour.

    • yuhong
    • 6 years ago

    Security bugs are not the only bugs I worry about. There needs to be a support lifecycle for this.

    • BlackDove
    • 6 years ago

    I never use sleep lol.

      • auxy
      • 6 years ago

      Likewise! (´・ω・`)

        • BlackStar
        • 6 years ago

        Being a computer scientist, I never sleep. At all.

    • SomeOtherGeek
    • 6 years ago

    You know, I don’t know how to take this…

    I have a ASRock z77 Extreme6 and that last update they did for the board was 7/23/2013. I’ll be keeping an eye out for an update on this, but it doesn’t look promising.

    So, my question is if the factory are not going to update it then the only option is to get a new board? Sounds silly to me.

      • DrDominodog51
      • 6 years ago

      Enthusiast Modded UEFI is an option, but it’s risky

      • just brew it!
      • 6 years ago

      Or don’t use sleep. If you’d rather not leave the system powered, use hibernate instead.

        • SomeOtherGeek
        • 6 years ago

        Good idea. Changed.

        • BlackStar
        • 6 years ago

        Make sure it’s real hibernation, not hybrid sleep (which hibernates but uses normal sleep instead of turning off the system completely.)

          • Nevermind
          • 6 years ago

          I would never use either hybrid sleep or hibernation. Turn the machine off.

          If your boot time is that great, it’s time to fix that.

            • just brew it!
            • 6 years ago

            That’s a great option if it doesn’t clash with your normal workflow. It isn’t just about boot time though. I frequently have dozens of windows open, representing work in progress, things I was reading online (but didn’t finish yet and want to get back to), reference material, etc.; I keep everything organized using virtual desktops. Even if my system boots to the desktop in 10 seconds, it’s still several minutes of screwing around to get everything back roughly the way it was (and that assumes I remembered to bookmark the web pages I want to reopen).

            • Nevermind
            • 6 years ago

            In that case I’d lock the OS and leave it on rather than dump ram-state to a physical file…

            • just brew it!
            • 6 years ago

            This is in fact what I do. Note that I qualified the recommendation with “If you’d rather not leave the system powered…” several posts back.

            • BobbinThreadbare
            • 6 years ago

            Why is your method better?

            • Nevermind
            • 6 years ago

            “(and that assumes I remembered to bookmark the web pages I want to reopen)”

            You can download entire sites for offline browsing… if you have the spacetime/effort.

            • mFvwv0zduc
            • 6 years ago

            Firefox can remember your windows and all tabs in them. When you restart your system, Firefox will restore all windows on all virtual desktops with all tabs, you will have pages open and scrolled down where you finished reading. Try it (you will need to set option in configuration first to make it remember such things).
            One I am not sure if your virtual desktop app will allocate certain browser windows to their virtual workspaces.

            • just brew it!
            • 6 years ago

            They’d probably all end up piled onto the default workspace, which is better than nothing but still non-ideal. At least I’ve got global hotkeys configured to move windows between workspaces (Ctrl-Alt-Shift-<numpad> is an instant “send the window with focus to workspace x”).

    • Deanjo
    • 6 years ago

    Apple pushes out a fix a month ago, PC users are expected to find out about this, search and hope their vendor offers a fix and Dell says “Yup, these ones are broken”.

      • Ninjitsu
      • 6 years ago

      Apple has like 5 products* to look after. Come on, you know better.

      *I’m exaggerating, but yeah. They don’t exactly have a massive job. And to think that it took CMU to point it out to them tells me even Apple doesn’t pay attention to its own systems.

        • BlackStar
        • 6 years ago

        Then maybe other PC vendors should consider having fewer products so they can actually support them properly?

        I don’t care if it’s a difficult job or not, all that I care about is that they do their job and provide me with timely upgrades.

        • Deanjo
        • 6 years ago

        And there is about 3 BIOS developers AMI, Phoenix, and Award.

        They addressed it when it came to light at the start of June. Meanwhile millions of PC’s out there by multiple vendors didn’t discover it either.

          • Ninjitsu
          • 6 years ago

          But don’t they lots of different boards and BIOSes to support? I don’t know the exact process, but I’d assume AMI/Phoenix/Award ship their basic BIOS code to vendors, who further customise it per motherboard model? After all, the vendors provide the updates to us.

          And I’d assume that the basic BIOS code is changed from year to year, to support new features?

          All I’m saying is, it’s a much, [i<]much[/i<] larger task than what Apple has to do, it'll take more time. Hopefully with the press picking it up, they'll move faster.

            • Deanjo
            • 6 years ago

            [quote<]But don't they lots of different boards and BIOSes to support? I don't know the exact process, but I'd assume AMI/Phoenix/Award ship their basic BIOS code to vendors, who further customise it per motherboard model? After all, the vendors provide the updates to us[/quote<] Not really. Often bios's for a series are pretty much identical for an entire family of boards with them simply turning on or off features by the manufacturers by sku (BIOS modders can attest to that). Sometimes the tools are even made public (as in the case of intel boards). 99% of the work is done by the 3 major BIOS companies, the companies usually slap in their tables and their GUI modifications. This is why when you see a BIOS update for one board from a manufacture you see a release for pretty much every board in that series. [quote<]And I'd assume that the basic BIOS code is changed from year to year, to support new features?[/quote<] Not necessarily, for example Asus and Asrock AM3+ hasn't really changed in years. In fact cross flashing an Asus BIOS onto a Asrock board even done sometimes. [quote<]All I'm saying is, it's a much, much larger task than what Apple has to do, it'll take more time.[/quote<] Apple also has to do a lot more work than the other vendors as the bulk of their "bios" is done in house. [quote<]Hopefully with the press picking it up, they'll move faster.[/quote<] I wouldn't bet on it being addressed at all on most and only a few recent boards may see fixes. There are millions of machines out there that have not and likely never will see updates for similar security flaws exposed a a year or so ago. [url<]http://www.pcworld.com/article/2337180/new-attack-methods-can-brick-systems-defeat-secure-boot-researchers-say.html[/url<] Just the other night I had to modify a newer Asus BIOS for my Asus Sabertooth 990FX Rev 1 motherboard to address a condition where if IOMMU was left disabled, it would cause spurious USB renegotiations and render USB useless on non-Windows systems (it still happens in Windows but it just puts up with it and gives you really flaky USB). Grabbed that later BIOS from 2015 for current board (they stopped putting out BIOS updates for mine in October of 2012) did some quick and easy mods to disable a few features my board didn't have (literally flipping a switch in a gui) and now with the forced flashed BIOS, everything is working again.

Pin It on Pinterest

Share This