Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Demo BIOS Attack That Survives Disk Wipes

Posted by CmdrTaco on from the can't-believe-it-took-this-long dept.

suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."

17 of 396 comments (clear)

  1. Fatal flaw: No BIOS reset by davidwr · · Score: 5, Insightful

    If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.

    If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Fatal flaw: No BIOS reset by wastedlife · · Score: 5, Insightful

      This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.

      An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.

      --
      Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
    2. Re:Fatal flaw: No BIOS reset by wastedlife · · Score: 3, Insightful

      Probably most customers didn't care about the feature compared to what it cost to implement. I do wish this was standard though.

      --
      Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
    3. Re:Fatal flaw: No BIOS reset by Lost+Race · · Score: 2, Insightful

      Or a friggin' write-protect jumper on the flash, which is actually present in the PCB wiring of most motherboards but 99% of the time the manufacturer is too cheap to solder on the pins. Actually it's not the 1 cent manufacturing cost they save but the zillions of tech support calls from clueless users desperate to reflash their BIOS (usually for no good reason) but unable to locate the WP jumper with both hands and a map.

      Hardware flash WP has been high on my list of mobo spec priorities for years but it's nearly impossible to find, since that's not an advertising bullet on the spec sheet. This is huge for systems that play different roles with interchangeable cold-swap system drives. If I'm running an untrusted sandbox system on a scratch drive and some malware silently infects the flash BIOS, that system is now untrustable even with a system drive swap, which totally sucks in testing/development labs. If I could just set a jumper and permanently write-protect the BIOS that problem would go away.

  2. Re:Requires root privileges or physical access by IsThisNickTaken · · Score: 2, Insightful

    I think the point is that once this happens that you cannot fix it by reflashing the BIOS.

  3. Re:I guess it's official. by Anonymous Coward · · Score: 5, Insightful

    We've had evil viruses around for a while. Anyone remember

    W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.

    Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.

  4. Re:No surprise by jellomizer · · Score: 3, Insightful

    Them Old Time Viruses ran with a lot less then what modern BIOS have, so I wouldn't focus to much on size to save us.
    When the Virus initially runs it is probably in the Hard Drive to the RAM which can can fit a LOT of configurations to break into a lot of BIOS manufactures.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Re:Requires root privileges or physical access by wvmarle · · Score: 5, Insightful

    Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.

    It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.

  6. Re:Requires root privileges or physical access by kinnell · · Score: 4, Insightful

    (although I couldn't see how it can survive a re-flashing.)

    Presumably reflashing the BIOS is normally performed by code within the BIOS. If you can corrupt the code in the BIOS you would have control over the flash programming, so could prevent the user from overwriting the infected blocks. I doubt this refers to physically removing the PROM and reflashing with an external programmer.

    --
    If I seem short sighted, it is because I stand on the shoulders of midgets
  7. Re:Tsarkon Reports Obama bent on bankrupting USA by Bert64 · · Score: 2, Insightful

    Does anyone use EFI outside of Apple and IA64 based machines?
    Microsoft don't support EFI, even tho Vista promised support for it... EFI is really only of benefit to run OSX or possibly Linux.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. Re:Requires root privileges or physical access by sjames · · Score: 2, Insightful

    Because adding that useful safety feature might cost a WHOLE NICKLE!!

    Similarly, I have seen a number of chipsets where the top and second from top erase blocks can be swapped just by pulling a logic line down (with a jumper for example). The idea is that even a screwed up re-flash of the boot block can be recovered easily just by setting a jumper.

    Too bad I have NEVER seen a board that actually hooked that line up nor a BIOS image that had a second emergency boot sector programmed.

  9. And the NSA hasn't been doing this for years? by MarkvW · · Score: 2, Insightful

    You're being watched . . .

  10. Exercise your warranty by davidwr · · Score: 2, Insightful

    The fact that this was allowed to happen is clearly a defect in design, materials, or workmanship.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  11. Re:Intel only? by Zebedeu · · Score: 3, Insightful

    Better question is what typeof BIOS?

    Your many hours of programming C/C++ betray you :-)

  12. This depends on the BIOS of the machine by hesaigo999ca · · Score: 1, Insightful

    It all depends on the BIOS of the machine, which is not supposed to be able to be accessed while operation of the OS, some of the newer ones might, but early 2000 we saw some machines coming out with BIOS that was not reachable by the OS, only when you booted from disk, that was the only time you could do a firmware upgrade, I blame the community for pushing to have everything "easy"...is it not easier to be able to update the BOIS, from inside the OS... I say no, it is not a task you should be doing so easily anyways, flashing a BIOS is last measure, and updating the BIOS, (especially if you can easily brick a computer) is not something to be done often.

  13. Re:Intel only? by mikiN · · Score: 2, Insightful

    I wonder how many mainboards are out there which have their Flash write protect disabled straight from the factory. Many people probably don't even know their system has one ("Jumper, whaddoyoumean jumper. I know that movie, but that's probably not it."). Shudder...

    --
    The Hacker's Guide To The Kernel: Don't panic()!
  14. Re:super-pwned by Bent+Mind · · Score: 2, Insightful

    Every motherboard I've ever worked with either had a BIOS reset jumper or the CMOS battery was removable.

    You've never worked on a laptop.

    --
    Request a Linux Shockwave player here: http://www.macromedia.com/support/email/wishform/