UEFI Bootkits: A Growing Concern in Medical Devices

Unsecured Boot Process

The fact that Secure Boot is not enabled means the code responsible for booting the operating system, both at the UEFI level and the Windows bootloader itself, are not cryptographically verified. As such, malicious code could be injected into the boot process to take control of the OS kernel, a malware attack known as a bootkit (boot rootkit).

A Decade of UEFI Bootkits

UEFI bootkits have been used in the wild for over a decade. Examples include LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023).

Sign of a Broader Issue

Firmware Security Issues

While Eclypsium’s research looked only at the Illumina iSeq 100, the researchers believe many medical devices likely suffer from similar firmware security issues inherited from the hardware supply chain. Medical device vendors don’t always manufacture their device hardware themselves, instead focusing on their core area of expertise and outsourcing the rest of the device development process to ODMs and IBVs, for example.

Conclusion

The presence of UEFI bootkits in medical devices highlights the need for medical device vendors to prioritize firmware security and ensure that their devices are properly secured against these types of attacks. This includes enabling Secure Boot and implementing other security measures to prevent malicious code from being injected into the boot process.

FAQs

Q: What is a UEFI bootkit?

A: A UEFI bootkit is a type of malware that targets the UEFI firmware of a device, allowing an attacker to inject malicious code into the boot process and take control of the device’s operating system.

Q: How do UEFI bootkits work?

A: UEFI bootkits work by exploiting vulnerabilities in the UEFI firmware to inject malicious code into the boot process. This allows the attacker to take control of the device’s operating system and potentially gain access to sensitive data.

Q: What are the consequences of a UEFI bootkit attack?

A: The consequences of a UEFI bootkit attack can be severe, including the theft of sensitive data, disruption of device functionality, and potentially even physical harm to patients.

Q: How can medical device vendors prevent UEFI bootkit attacks?

A: Medical device vendors can prevent UEFI bootkit attacks by enabling Secure Boot and implementing other security measures to prevent malicious code from being injected into the boot process. This includes regularly updating firmware and software, implementing secure boot mechanisms, and conducting regular security testing and vulnerability assessments.

Q: What is the impact of UEFI bootkits on medical devices?

A: The impact of UEFI bootkits on medical devices is significant, as they can potentially compromise the safety and effectiveness of medical devices and put patients at risk. It is essential for medical device vendors to prioritize firmware security and ensure that their devices are properly secured against these types of attacks.