Microsoft has revealed its new ‘Secured-core PC’ feature, which will boost the security of Windows PCs by protecting the firmware it runs on from potential attacks by hackers.
While anti-virus software can do a good job of protecting your software once Windows loads, an increasing number of malware attacks are targeting the firmware (BIOS or UEFI, depending on the age of the PC) which can infect the PC and give hackers access to the PC’s hardware before Windows even loads.
- Major Bluetooth security flaw leaves millions of devices at risk
- Firmware security has barely improved over last decade
- Formjacking attacks target customers at checkout
This can be particularly nasty, as it makes detecting the virus incredibly hard for traditional anti-virus software, and it also means that reinstalling Windows and wiping the hard drive won’t necessarily rid the PC of the malware.
This threat has been steadily increasing; Microsoft explains that these firmware attacks have increased five-fold over the past three years, and are such a problem that it has teamed up with the likes of AMD, Intel, Qualcomm and device makers to create the Secured-core PC initiative.
“Recent developments in security research and real-world attacks demonstrate that as more protections are proactively built into the OS and in connected services, attackers are looking for other avenues of exploitation with firmware emerging as a top target,” explains Microsoft in a blog post about Secured-core PC.
What the Secured-core PC initiative does
The Secured-core PC initiative is essentially a set of device requirements that products such as laptops and desktop PCs running Windows 10 will need to meet to be branded as Secured-core PCs.
These requirements include advanced security best practises of “isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system”.
Devices that meet the Secured-core PC certification will combine identity, virtualization, operating system, hardware and firmware protection that runs underneath the operating system, and will run alongside traditional anti-virus software, such as Windows Defender, and will allow Windows 10 to boot securely, allowing people with Secured-core PCs to use their devices safe in the knowledge that they’ve not been compromised.
As Microsoft points out, “unlike software-only security solutions, Secured-core PCs are designed to prevent these kinds of attacks rather than simply detecting them.”
While regular users will appreciate this extra level of protection, it looks like Secured-core PCs will initially be aimed at professionals who work with sensitive data, in the health or financial industries for example.
Some of Microsoft’s inspiration for Secured-core PCs comes from a rather surprising source – its Xbox console. According to Dave Weston, the partner director of Windows security at Microsoft, “Xbox has a very advanced threat model because we don't trust the user even in physical possession of the device.”
That sounds pretty harsh, but it essentially means Microsoft doesn’t want Xbox owners hacking their consoles and playing pirated games. “We took our own learnings and worked with silicon vendors to develop a strategy to deal with advanced threats," Weston told ZDNet.
Microsoft has also created a webpage with more information about the range of Secured-core PCs that are already available from the likes of Lenovo and Panasonic, and it’s well worth visiting.
One thing to note is that this goes further than Microsoft’s previous attempts to secure Windows PC’s firmware, known as Secure Boot, which was introduced with Windows 8. Secure Boot was criticized at the time because it locked down the UEFI, and made it difficult – if not impossible – to install an alternative operating system on the device, such as Linux.
We imagine that Secured-core PCs will also make life difficult for anyone who wants to replace Windows with something else.
For many people, however, that could be a price worth paying for better security.