The industry association UEFI Forum has reacted to the numerous demonstrated vulnerabilities in the UEFI BIOS by establishing a UEFI Security Response Team (USRT). Dick Wilkins, who works for the firmware manufacturer Phoenix, is leading the team.
The USRT is supposed to be the primary contact for white hat hackers finding vulnerabilities. An e-mail address with a corresponding PGP key is also provided to facilitate reporting of vulnerabilities.
The UEFI Security Response Team is organized as a subcommittee of the UEFI Board, but won´t be an independent working group. The USRT is supposed to improve the reputation of the UEFI BIOS, which has been criticised by Google and others for being highly insecure.
UEFI Security Response Team (USRT) to be backed by IT-giants
It will be backed by Apple, Microsoft, Intel, AMD, ARM, ARM, Dell, Lenovo, HP, Red Hat, and the UEFI suppliers AMI, Insyde and Phoenix. Currently, Google is using UEFI alternatives such as Coreboot/Libreboot or NERF.
Twice a year, the UEFI Forum organizes meetings called Plugfests. Security has been playing a major role in recent years with many lectures addressing previously uncovered security gaps and providing guidance on programming of secure firmware functions.
In comparison to classic proprietary BIOS code from suppliers like AMI, Award, Phoenix od Insyde, modern UEFI-implementations are based on the open Tianocore EDK II framework. As a result, bugs and vulnerabilities of EDK II are inheriteted by practically UEFI variants, which make them an attractive target for hackers.
On top of this, UEFI is still suffering from defined protective functions which are left out in many implementations. The UEFI Forum and the UEFI Security Response Team (USRT) are expected to improve the overall security of UEFI in the future.
