Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Industry Incapable of Finding Firmware Attackers

Posted by Unknown on from the just-use-coreboot dept.

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

8 of 94 comments (clear)

  1. Re:Least interest by EdZ · · Score: 3, Interesting

    What you CAN do is exploit an otherwise secure OS so that you CAN do those things in spite of OS-level security methods.

    I miss the days of needing a move a jumper in order to flash the system ROM. I've seen plenty of gaudy 'overlocking' boards with push-buttons on the motherboard itself for various esoteric functions. A toggle-switch for BIOS-write-enable would be a relatively cheap addition, and manufacturers can market the board with some extra security buzzwords.

  2. Use a jumper by techno-vampire · · Score: 3, Funny

    I can remember when there was a jumper on the motherboard that had to be shifted before it was possible to flash the firmware. If all motherboards had that, the only way an attacker could get malware into the BIOS (or whatever other firmware they wanted to target) would be by tricking the user into changing the jumper. Not only that, many of the users who'd be foolish enough to fall for that kind of trick wouldn't have the confidence to open up their box and play with the hardware. Not all, of course, but then, no security measure is 100% effective.

    --
    Good, inexpensive web hosting
  3. Re:Least interest by Anonymous Coward · · Score: 4, Informative

    Nice try, but it runs in ring 0, so it can jump into the kernel anywhere it wants.

  4. But you can and it's useful by dutchwhizzman · · Score: 4, Insightful


    Most bioses now have a complete TCP/IP stack for things like ipmi. Keylogging only requires a few simple routines to do as well; plenty of room to implement that in current flash chips on main boards.

    Hiding in firmware makes you resilient and virtually undetectable on the "normal storage". A rudimentary base to pull next stage software in that will "bootstrap" the full malware once the OS installed is all that is needed. The full malware can be fragmented and re-use existing binaries so it won't be detected. You need a trusted platform and guaranteed "safe" steps to be able to reasonably trust your computer and when firmware contains holes or malicious code, there are plenty of people that don't work for the NSA that can actually build a competent attack for that.

    --
    I was promised a flying car. Where is my flying car?
  5. Attacks on UEFI... by Obfuscant · · Score: 3, Informative

    Would that include "attacks" that allow OSs other than the officially state-approved and certificate-signed ones to be booted. Like that hacker-prone and highly illegal "Linux" thing I've been hearing about? I'm glad that researchers are protecting us against such flim-flammery and obviously dangerous stuff.

  6. Re:Duh, what should we do? by jc42 · · Score: 3, Interesting

    You know who reviews open source code seriously? Fucking nobody.

    Oh, I dunno 'bout dat. I recall a few years ago, getting an informative email from one of djb's folks, telling me how to exploit an open-source program that I was using in the software behind a web site that I was responsible for. I ran their test, dug into the code and fixed the problem (and several similar problems in other parts of the code), and sent them a nice letter thanking them for their help. I also forwarded their email and my patches to the author of the program, but I didn't hear back from him.

    This only fails to qualify as "seriously" if you dismiss all of academia as not serious. In reality, that's where you'll find most of the people who take security seriously. You don't much find them in "industry" (as the summary puts it), for management reasons that are well-understood by pretty much anyone who has ever tried to get security problems fixed in a corporate-management environment.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  7. Re:Least interest by rtb61 · · Score: 4, Insightful

    Which means basically when they start intercepting hardware between the manufacturer and the user, security becomes an impossible mind fuck. Once it all shifted to firmware and hardware hacks the security game is over. Parallel networks where the inside network is fully air gapped from outside networks and the building itself is secured from wireless communications. Basically all internet function are done on disposable net books, this more for typical businesses rather than internet business. Apparently Russian security has gone back to typewriters and hard copy for the most secure documents, actual physical penetration is required. With the NSA continuing to fuck around with security, how long will it be before banks go back to manual systems and internet banking becomes a memory.

    --
    Chaos - everything, everywhere, everywhen
  8. Re:Least interest by icebike · · Score: 3, Funny

    Have you seen newer motherboards? They have 16mb+ of flash for the BIOS.
    Oodles of room to do fun stuff in.

    And they are all infested with UEFI, the worst malware foisted upon the general public in decades.

    --
    Sig Battery depleted. Reverting to safe mode.