What Is UEFI And How Does It Keep You More Secure?
When you first start up your computer, you’ll see a bunch of text scrolling past on the screen. Most people just ignore this and wait for the Windows login screen to appear. But if you ever need to do troubleshooting or to tweak some settings on your computer, there’s a really useful tool you can access from here called UEFI.
What Is UEFI?
UEFI is a type of firmware that comes with your motherboard. It’s what prepares your system to boot up your operating system, such as Windows. UEFI is a more modern version of an older piece of firmware called BIOS.
To enter UEFI, you hit a designated button on your keyboard while your system is booting up. Which button depends on your hardware, but it’s typically Esc, F2, F10, or Delete. Look in the text that appears on screen when your computer powers on to see which your system requires.
When you hit that button, instead of booting straight into your operating system, your computer will open UEFI. From here, you can make changes to your system such as determining the boot order . That means you can select whether you want your computer to boot from a hard drive, an SSD, or an optical drive first.
You can also make other changes like adjusting the speed of your fans or overclocking your processor . UEFI is very handy for troubleshooting as you can see what hardware is connected to your system. Even if your operating system is corrupted, you can still use UEFI to access your computer.
What’s the Difference Between UEFI and BIOS?
If you’ve used older computers, you might have seen an earlier firmware than UEFI, called BIOS. Like UEFI, BIOS is software which lives on your motherboard and helps prepare your system to boot up its operating system. Also like UEFI, you can use BIOS to make changes to your computer like tweaking the fan speeds or changing the system time and date.
There are some key differences between the two though. The first difference you’ll notice is visual. BIOS is very visually simple, using only a few colors and no graphics. It also doesn’t support the use of a mouse, so you need to use a keyboard to navigate and make changes. UEFI, on the other hand, is more graphically sophisticated with images and many colors, and can be controlled by both keyboard and mouse.
BIOS is also more basic in its functions than UEFI. In BIOS, you can change essential settings of your system like device boot order. In UEFI, you can do much more. UEFI can support functions like remote diagnostics and calibration of fan curves.
It even supports automatic overclocking wizards where you just add information about your processor, select your cooling components, and it will set an overclock for you.
Overall, UEFI is more user-friendly than BIOS. It also generally boots faster, so you won’t have to wait so long for your PC to be ready to use when you turn it on.
Is UEFI More Secure Than BIOS?
That brings us to the big question: Is UEFI more secure than BIOS? In general, the answer is yes, due to a function called Secure Boot.
Secure Boot is a part of UEFI which restricts which type of applications can be used at boot to those which are signed. This is a helpful and generally flexible security measure to stop malicious code being run on your machine.
Basically, it stops the machine from booting up an operating system unless it has a recognized key. A recognized key is one that shows where the operating system has come from and ensures that it’s trusted. This means that Secure Boot stops malware from interfering with your computer’s boot process.
Secure Boot was required to be supported in order for a PC to be certified as Windows 8 compatible. So there was a lot of interest focused on the Secure Boot feature when Windows 8 was released in 2012.
This caused a lot of controversy when it was first announced. People thought that UEFI was Microsoft software (it’s not) and that UEFI would prevent users from loading other operating systems like Linux (it doesn’t).
At first, there were real concerns about how Secure Boot could interfere with the installation of Linux systems. But Linux distributions have found ways to work with Secure Boot, and now Ubuntu, Fedora, Red Hat Enterprise Linux, and openSUSE all support Secure Boot without any problems.
UEFI Does Have Security Risks
Unfortunately, no piece of software is free for security threats; the same is true for UEFI. Hackers have targeted UEFI with malware in the past.
One example was detailed in a report by ESET Research in 2018. There is a piece of malware called Sednit, or also known as APT28, Sofacy, Strontium, or Fancy Bear, which has been around since at least 2004. And there’s another trojan built to attack anti-theft software called LoJack, which is called LoJax. When used together, Sednit and LoJax can target UEFI and BIOS. These tools can spy on UEFI firmware and in some cases could even overwrite system memory. That allows hackers to install a malicious version of UEFI so they can access the system and spy on the contents or make changes.
The scary thing about this hack is that it continues to work even if Windows is re-installed. Because it attacks the UEFI instead of the operating system, it can’t be removed by wiping Windows. It can even survive having a system’s hard drive replaced. This is because the malware lives on the motherboard and not on the hard drive.
Malware which targets UEFI is not only hard to remove, it’s also hard to spot. Users may have no idea that their systems have been infected. Although attacks on UEFI are relatively rare, it’s worth being aware that they can happen.
Learn More About UEFI and BIOS
Despite some controversies related to its use in Windows 8, UEFI is a more useful and more secure alternative to BIOS. Through the Secure Boot function you can ensure that only approved operating systems can run on your machine. However, there are some security vulnerabilities which can still affect UEFI.
We’ve only scratched the surface here of all the things that you can do with UEFI and BIOS. To learn more about how to access BIOS and how to use it, see our guide on how to enter the BIOS on Windows 10 and earlier versions of Windows too.