LogoFAIL Vulnerability – Reflecting One Week Later

December 15, 2023||

I came across this post on reddit by user asedlfkh20h38fhl2k3f:

“Due to increasing security vulnerabilities making it impossible to operate safely, we are reorganizing the way technology is used in our company. Moving forward, there will be no technology. Thank you for understanding.”

This quote, though sadly humorous, seems appropriate based on the current new world of cybercrime. It has been a week now since the LogoFAIL vulnerability was discovered, and named, by cybersecurity firm Binarly.

What does this latest popular threat mean – It means there will ALWAYS BE SOMETHING NEW, some risk vector no one thought of until it’s discovered. It means that ongoing active diligence is not going away in our lifetime, and likely ever. This is not dreadful per se. We all have life insurance, car insurance, and any mature company has cyber insurance. From a public safety perspective, we all know there is a police department in every town and city as criminals will always be with us, cybercrime is no different. If there is one thing LogoFAIL is teaching us is to never be surprised, forever vigilant, always ready to act, because people are resourceful on both sides of the table.

So, what makes LogoFAIL different? This vulnerability is not targeting the Operating System running on a target computer. This cyber vulnerability targets the part of the bootloader called UEFI. UEFI is a specific part of a boot system, that, among other things, stores a manufacturer’s logo to display on startup. This logo file can be overwritten by malicious code that can provide an intruder with deep control of an operating system. It does this because the logo display happens at the very earliest step in the boot process, before the operating system, and even before boot protection tools such as Secure Boot and Intel’s Boot Guard install. Once a system is compromised, typical endpoint security tools largely will not see any issues within the compromised system.

LogoFAIL is extremely broad based, not targeting a specific manufacturer. Researchers estimated this vulnerability exists in up to 95% of all PC’s currently in use. Computers from Intel, Acer, HP, Lenovo, and many others are at risk. In fact, essentially all major computer manufacturers, except Dell whose BIOS is uniquely different, are targets.

To exploit the vulnerability, hackers require local administrator access, often achieved through a browser exploit. This access enables the cybercriminal to add the modified image to the designated partition and reboot the system, replacing the factory logo with the malicious one. Acquiring this access is not a significant hurdle for a proficient attacker and is commonly accomplished. Once installed, the compromised system will appear normal, and even reloading the operating system will not help here.

For a deeper technical dive, go to the source and read the press release from Binary, or the slides presenting LogoFAIL to the world at Blackhat Europe 2023.

In summary, LogoFAIL is proof that the machine on your desk can never be safe. Death, taxes and cyber incidents are here to stay – act accordingly.

More from Steve...