ESET is the first endpoint security vendor to add the ability to scan a computer's firmware to its products. With the passage of a full year since the launch of the ESET UEFI Scanner module, released in October 2017, ESET is still the only major vendor providing its customers with this layer of security in its standard product range.
With one year under its belt, let's look at the benefits of the ESET UEFI Scanner technology, and also clarify some of the associations that surround it.
We sat down with Roman Kováč, ESET’s Chief Research Officer, and asked him a few questions.
Further to reading the interview, you might wish to find out more about UEFI and related security issues in articles we have previously published and are soon to be published at WeLiveSecurity.
It is noteworthy that ESET is still the only major vendor whose endpoint security solutions can scan a computer's firmware. How come others still haven’t followed suit?
I can't fully answer your question because I can't speak on behalf of our competitors. But I understand what you're getting at – well, it might appear that we’re wasting resources to develop some niche feature that many others don’t consider important.
To address the underlying question, however, I have to explain why we consider it essential for users to have their firmware secure.
The reason is that the consequences of compromising a computer's firmware are extremely severe. By definition, if the attackers can control what processes are launched – and how - when a computer boots, then they fully control it. On top of being an extremely dangerous means for implementing cyberattacks, firmware modifications are difficult to detect and able to survive severe security measures such as operating system reinstallation and even hard disk replacement.
Yes, these are known facts. But still, these attacks are pretty rare, aren't they?
Well, let me remind you of one of the basic principles of risk management: risk is a function of both the cost of an event, and its probability. So even attacks that are rare might pose a relatively high risk if the impact is substantial – which is the case here.
And as for probability, things get complicated when you dive into the details. Think of highly targeted cyberattacks: yes, the likelihood that average users will find themselves in the crosshairs of some advanced APT group is close to zero. But, naturally, among our customers there are also some who are being regularly targeted by APT groups.
What I wanted to say is that the likelihood of being attacked varies according to the type of potential victims.
And when it comes to APT groups, these sophisticated attackers are more likely to employ new, previously unseen cyberweapons.
What attacks scenarios of this type are there?
Computer firmware can be modified in such a way that its security and functionality are compromised. There are several ways to achieve this.
The first option, which is the most common, is that your computer vendor implemented some firmware modifications to, for example, enable remote diagnostics or servicing. In principle, there is nothing wrong with such modifications, even if it's some third party who provides the services – as long as the customer is A. aware of them, B. they don't contain vulnerabilities that could be misused in some way and C. the device owner can entirely disable them.
Another possibility is manual, malicious flashing when the attacker has direct access to the device. This can occur in the course of shipping, when at a repair shop, or carried out by a malicious insider within your organization or an intruder who breaks into the premises.
The third option is a remote attack using malware and various tools to modify the firmware.
So, such tools are known to exist?
You are right. The infamous Hacking Team had already advertised their ability to modify the target's firmware, as was alleged when this dubious provider of hacking tools was itself hacked and its confidential documents leaked to the public. Also, a UEFI rootkit was among tools that were revealed to the public by WikiLeaks, proving that the claims in the Hacking Team’s documents were indeed factual. Plus, a few UEFI rootkit proofs-of-concept have been presented at various conferences.
But still, UEFI rootkits can’t be considered a real threat since none has ever been seen in the wild...
Well, since this summer, that is no longer true. We have discovered a campaign that utilizes a UEFI rootkit and will present our findings on September 27 at the BlueHat conference in Redmond, Washington, in the US. Only on that day will we publicly reveal our findings on WeLiveSecurity.
As for the UEFI Scanner, just the fact that such a rootkit has been detected in the wild clearly shows that the ability to scan the computer's firmware, and not only its memory and drives, is essential.
Can you tell us about how this protection layer performs?
We have received thousands of detection reports from the UEFI scanner module, and that’s only from users that have the reporting functionality enabled. Most of them are Potentially UnSafe Applications.
Unsafe, but only potentially – this sounds like most of your detections are false alarms…
Well, if you scrutinize an application detected as a Potentially Unsafe Application and find it legitimate, this alone doesn't mean that your detection was a false alarm.
To understand what a Potentially Unsafe Application is, imagine a situation when a body scanner indicates that the person being scanned carries a gun. If the person happens to be a member of your security staff – would you call the scanner's signal a false alarm?
I think that this example illustrates well what we call a Potentially UnSafe Application. These are often legitimate applications, but if they are running on your PC or in your company's environment without your knowledge and consent, they may pose a risk. By the way, the body scanner parallel can also help me explain why the firmware-scanning technology in our products is an important layer of protection. Again, imagine a body scanner at the gate of some prominent institution. If such a scanner only sounds an alert very rarely – does that mean that there is no need to check whether people are bringing guns inside?
To sum it all up, we are proud of our firmware-scanning technology, the ESET UEFI Scanner module, and we consider it a vital part of our security solutions.