Richard Hughes: Hunting UEFI Implants

Richard is the main person behind LVFS, so he’s aware of the state-of-the-industry, is suggesting that vendors do more to document their firmware security, to help consumers with their threat models and purchases. These security levels should probably be done in sync with CVE/OVAL updates, so the same metadata can be used elsewhere in the security ecosystem.

SCAP? Consumer Reports? Tom’s Hardware? Other PC reviewers: you’re not helping.

[…]What I propose we do is assign some core protections some weight, and then verify and document how each vendor is configuring each model. For instance, I might say that for my dads laptop any hardware “SEC1” and above is fine as he’s only using it for Facebook or YouTube and it needs to be inexpensive. For my personal laptop I would be happy to restrict my choice of models to anything SEC3 and above. If you’re working as a journalist under some corrupt government, or am a security researcher, only SEC4 and above would be suitable. The reality is that SEC4 is going to be several hundred dollars more expensive than some cheap imported no-name hardware that doesn’t even conform to SEC1.[…]

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s