The dominant firmware standard, UEFI, has unexplored attack surfaces, and the US government’s cybersecurity agency CISA is warning that this makes it an attractive target for malicious hackers.
A crucial attack surface is UEFI. Attackers have a distinct incentive to target UEFI software, the agency claimed in a call to action written by vulnerability management director Sandra Radesky and CISA technical advisor Jonathan Spring.
The agency issued a warning, noting that security flaws expose computer systems to covert, persistent attacks and that UEFI code is made up of a variety of components (drivers, bootloaders, security and platform initializers, etc.).