UEFI Rootkits among CIA hacking tools revealed by Wikileaks

The recent release of a list of CIA hacking secrets by whistle-blower site Wikileaks has left security teams scrambling to analyze their code to see just what is vulnerable and what isn’t. This is something that may take some time given the massive scope of the data which even includes Smart TV’s being turned into surveillance devices as well as tools aimed at compromising the ubiquitous iOS and Android operating systems.

The Wikileaks documents allege that the CIA’s Embedded Development Branch (EDB) developed two OS X specific tools called DerStarke and another called DarkMatter to deploy malware based on UEFI exploits.

Many modern PC’s and laptops use UEFI firmware (Unified Extensible Firmware Interface) which is the replacement for the old BIOS. UEFI rootkits can be especially dangerous as they can survive and reinfect the OS kernel even after a disk wipe and OS re installation. UEFI updates typically require user interaction compared to a software AntiVirus update which is mostly automatic. Unfortunately the average consumer has poor knowledge of UEFI/BIOS and does not know how to update it, meaning UEFI vulnerabilities can remain in a system potentially for the life of the system.