This blog post is the first in the series about my joint Black Hat research Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller(slides) with Alexandre Gazet presented last week in Vegas. This REsearch took literally 5 months of our spare time to dig into Embedded Controller security and Intel BIOS Guard technology implementation in Lenovo Thinkpad BIOS.

In this blog post, I will focus on the common architectural problem when hardware design doesn’t connect different hardware across the x86-based device to the one unified threat model. Each device has its own threat model and attack surface…


Tons of research has been already presented about problems in UEFI firmware ecosystem and how relatively easy deliver and install implant/rootkit. But in this blog post, I want to focus on classification of vulnerabilities and attack vectors which is opening the doors of BIOS for persistent infection. Note that the threat model represented on the following figure only covers flows related to UEFI firmware, whereas nowadays the scope of security issues for Intel ME and AMT is significantly increasing. …


I was very interested in the recent discovery of UEFI rootkit Lojax by ESET researchers. But after some analysis, I was surprised by the simplicity of the delivery/infection methods used by this rootkit. Basically, all the techniques used by Lojax is already known for the years from the past discoveries and presentations by BIOS researchers. Also, Lojax has multiple common techniques with HackingTeam rkloader rootkit (NTFS parser, FS injection technique with tracking EFI_EVENT_GROUP_READY_TO_BOOT). In this blogpost I want to focus more on the topics related to techniques for UEFI firmware exploitation from OS (especially MS Win10).

A lot of people…


On the last Black Hat event in Vegas, I presented the first publicly known concept of attack on a specific implementation of Intel Boot Guard technology (mostly undocumented as a technology). When I worked on this research one thought it bothered me: the specification of technology can be perfect but after that, the implementation part goes to the third-parties and it is challenging to maintain proper level security in this case. Intel Boot Guard is an excellent example of a complex technology where exist a lot of places where making a small mistake allows an attacker to bypass full technology…

Alex Matrosov

Embedded Security REsearcher with more than two decades of experience in offensive and defensive research. Author of “Rootkits and Bootkits” book (bootkits.io).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store