October 25, 2019 By King
By working with Windows 10 device manufacturers, Microsoft hopes to make firmware security compromises, those that happen before Windows itself boots, a thing of the past. The new initiative sees the introduction of updated “Secured-Core” devices, which have additional protections “baked-in” to defend against targeted firmware attacks.
What are targeted firmware attacks?
These attacks are, by Microsoft’s own admission, far from the norm. However, “in the last three years alone,” David Weston, director of OS security at Microsoft, said, “NIST’s National Vulnerability Database has shown nearly a five-fold increase in the number of firmware vulnerabilities discovered.” Indeed, for anyone who is on the sharp end of this particular risk-stick, the results can be catastrophic, especially if the victim device is within a financial services, government or financial services environment. An advanced persistent threat (ATP) attacker, often associated with nation-state groups or well-resourced criminal organizations, that successfully compromises PC firmware gets a truly persistent and stealthy foothold on that machine. A malicious hold that can survive not only reboots but the re-installation of the operating system or a replacement of the hard drive itself. Detecting such compromises is as tricky as you might imagine; Microsoft’s own, highly regarded, Windows Defender antivirus protection, like other such applications, runs at the operating system level.
Does this sound familiar, Windows users?
Sure, the idea of limiting how an operating system launches is nothing new. Microsoft introduced this, courtesy of Secure Boot, way back in Windows 8. To mitigate the risk of rootkits that run before the operating system itself launches, Secure Boot relied upon Unified Extensible Firmware Interface (UEFI) firmware so that only ‘properly signed’ bootloaders such as the Windows boot manager itself could execute. Have you spotted the problem with this yet? Yep, that’s right: what if the already trusted firmware itself was compromised? Threats that can exploit vulnerabilities in that trusted firmware are not mitigated by Secure Boot alone. Enter Microsoft and System Guard Secure Launch to protect the boot process from these firmware attacks.
What is Windows 10 System Guard Secure Launch?
“Our investments in Windows Defender System Guard and Secured-Core PC devices,” Weston said, “are designed to provide the rich ecosystem of Windows 10 devices with uniform assurances around the integrity of the launched operating system and verifiable measurements of the operating system launch to help mitigate against threats taking aim at the firmware layer.” Exploiting new chipset capabilities from the likes of AMD, Intel and Qualcomm, Windows 10: “now implements System Guard Secure Launch as a key Secured-core PC device requirement,” according to the Microsoft announcement. The new hardware capabilities are built into the silicon and involve a dynamic root of trust for measurement (DRTM) system that leverages firmware to start the hardware. The magic happens shortly after, when the system gets “re-initialized” into a trusted state: “by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path.” Not only does this limit the trust that is assigned to firmware in the first place, but it mitigates the risk of those highly-targeted attacks. One thing’s for sure, it all sounds a lot easier than times past when, and I am probably showing my age here, in order to protect the PC firmware you could toggle a jumper switch on the motherboard itself that prevented its data from being “flashed,” as the act of overwriting such data was called.
Where can you get a Secured-Core Windows 10 device?
Among the first devices, mostly laptops, to get the new “Secured-Core” sticker is the new Surface Pro X. Dell, HP, Lenovo and Panasonic will be launching laptops with the new capabilities baked in. Responding to a question on Twitter, Microsoft’s Weston confirmed that you can load a different operating system to Windows 10 Pro or Enterprise on a Secured-Core device: “It’s just a pc you can load whatever you want,” he tweeted, before adding later that you could even run Windows 10 S. There’s more information about the devices that will support the initiative here.
What do security experts say about Microsoft’s Secured-Core initiative?
Robert Ramsden-Board, vice-president (EMEA) at Securonix, says that as operating system and firmware vulnerabilities can put organizations at serious risk and often go unmissed, it’s “positive to see that Microsoft is being proactive about addressing these issues, particularly for organizations that handle sensitive intellectual property.” Javvad Malik, security awareness advocate at KnowBe4, says that these new Secured-Core devices look like they would be beneficial to small or medium businesses in particular, which often don’t have in-house expertise to harden machines. “With the Secured-Core PCs it should make the process to create a secure processing environment simpler,” Malik says, “which should be helpful in meeting compliance requirements, or satisfying larger partners for whom they do business with that they manage their data in a comparatively secure manner.”
Nigel Stanley, CTO of TUV Rheinland, says that “the increase in firmware vulnerability discoveries since 2017 reflects the fact that bad actors will always look for the weakest chink in security armor.” Stanley also says that “if a bad actor wants to get you, they will,” so it makes sense, “for those who may be a high-value target to go the extra mile and look at the approach offered by the Secured-Core PC.” Only, Stanley says,
after they have implemented a decent cybersecurity risk management and controls program, along with getting the basics right, that is. Indeed, what users shouldn’t do is think that a Secured-Core device is an un-hackable one. “A false sense of security could make people forget about other forms of cyberattacks,” says Jake Moore, a cybersecurity specialist at ESET, “such as targeted phishing emails, which remain a prominent threat vector.”
“Security is built in layers, not as a wall,” says Martin Jartelius, CSO of Outpost24. “Every layer that can be added does add a benefit to all but can also introduce some risks. This is not the resolution to end all risks; it’s one amongst many other pieces in a huge jigsaw puzzle.”