Microsoft today announced (opens in new tab)a new security-related program, designed with its PC partners, to protect computer firmware against state-level and other sophisticated attacks.
The Secured-core PCs program requires device manufacturers and silicon vendors to meet a number of strict specifications that can guarantee that the firmware can’t be modified without proper authorization.
What are Secured-core PCs?
Secured-core PCs use identity, hardware, firmware protection and the OS itself to add another layer of security underneath the OS. They're designed so that firmware exploits are prevented altogether and not just detected.
The Secured-core PC requirements call for the ability to “boot securely, protect the device from firmware vulnerabilities, shield the OS from attacks, prevent unauthorized access to devices and data and ensure that identity and domain credentials are protected,” according to Microsoft.
They also enable IT admins to implement a “zero-trust network” that’s rooted in hardware. The zero-trust network focuses on maximizing device security and limiting enterprise user access to only what’s needed to do their jobs. The idea has been recently promoted publicly, as well as used internally by Google.
Secured-core PCs take advantage of hardware security features found in newer Intel, AMD and Qualcomm chip platforms and work with a new Windows Defender feature, called System Guard Secure Launch, to protect the boot process from firmware attacks. It also helps to protect virtualization-based security (VBS) implemented by the hypervisor from firmware compromise.
List of Secured-core PCs
The list of existing Secure-core PCs (opens in new tab) is quite limited right now, and all of the options presented by Microsoft on its site are laptops (opens in new tab)using Intel CPUs, which have recently had their own share of security problems.
Vendors that support the Secured-core PC program so far include HP, Dell and Lenovo. The majority costs $1,000 or more, but we may see more affordable options in the near future.
Here's the full list:
- Dell Latitude 5200 2-in-1
- Dell Latitude 7400 2-in-1
- Dynabook Portege X30-F, X40F and X50F
- HP Elite Dragonfly (opens in new tab)
- Lenovo ThinkPad X1 Yoga 4th Generation
- Lenovo ThinkPad X1 Carbon 7th Generation (opens in new tab)
- Pansonic Toughbook 55
- Surface Pro X for Business
Minimal Trust in PC Firmware
Microsoft said that the new requirements are based on the principles of minimal trust in PC firmware. They also follow other best security practices for isolation between the firmware and the operating system (OS). The Secured-core PCs primarily target professionals in industries handling highly sensitive data, such as financial services, government and healthcare.
In 2018, security researchers discovered that the AP28 cyberespionage group had been exploiting firmware flaws to target systems in the wild with malware. At the time, the researchers also noted that in three years, the firmware-based attacks increased five-fold.
Microsoft in its announcement noted that the National Vulnerability Database is showing an alarming rise in vulnerabilities found in the past few years, with the number of bugs continuing to grow. Windows 10 (opens in new tab) itself may be part of the problem, as previous reports have shown that the number of vulnerabilities in recent Windows versions has doubled compared to 2013 (opens in new tab).
Why Hackers Are Targeting Firmware Vulnerabilities
Because firmware has more direct access to hardware than an OS, it also has higher privileges than OSes. In other words, code written in the firmware can bypass most of the code written in the OS. Malicious parties who want to take advantage of this can undermine other security mechanisms, such as Secure Boot or features implemented by the hypervisor or the OS.
Firmware exploits are difficult to detect and remove, as the firmware malware could survive any attempts to clean up the PCs with antivirus tools and even OS reinstallations. This makes sense, considering that the hardware firmware lives at a layer beneath the OS, so actions performed on the OS don’t typically affect the firmware.