Slashdot Mirror

← Back to Stories (view on slashdot.org)

Persistent BIOS Rootkit Implant To Debut At CanSecWest

Posted by timothy on from the deep-in-the-tunnels dept.

msm1267 writes Research on new BIOS vulnerabilities and a working rootkit implant will be presented on Friday at the annual CanSecWest security conference. An attacker with existing remote access on a compromised computer can use the implant to turn down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed. The devious part of the exploit is that the researchers have found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure and privacy focused operating systems such as Tails in the line of fire of the implant.

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails' built-in protections, including its capability of wiping RAM.

8 of 120 comments (clear)

  1. We desperately need unflashable firmwares by Anonymous Coward · · Score: 5, Insightful

    I'm afraid of plugging my USB drives around, I'm using a fairly obscure UEFI/BIOS on my main computer in hopes that nobody has bothered to write an exploit for it yet.

    But what I'd really like to see is a hardware protection against flashing. On USB, on hard drives, on the motherboard, on anything that could possibly be flashed. And no, cryptographically signed updates aren't going to cut it. It's more than feasibly to steal or crack weak keys.

    1. Re:We desperately need unflashable firmwares by TheReaperD · · Score: 5, Insightful

      What's infuriating is that USB drives used to come with hardware write switches and now you can't find them anywhere. And motherboards used to require you to move a jumper to flash the BIOS but, those are gone too. I don't know if it was cost cutting or a case of user stupidity or both but, the hardware write switch has faded into history. I'm fine with the being in a default-write setup as long as they had the option to cut it off.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
  2. Re:Socketed Firmware Here We Come by Anonymous Coward · · Score: 1, Insightful

    That's not new. Strictly speaking, you cannot trust anything. And less strictly, the same. People have been saying this since the 80's (or before, i'm not old enough to know that), and are usually called paranoia.

    There are so many places malicious hard- and software can hide. So, unless you built your own computer with discrete components, and wrote your own software, there is almost no way you can verify everything.

    BIOS malware is nothing new. We also seen that malware can hide at places you'd normally not expect: your hard disks' firmware or usb interfaces. Software-wise there's the old 'can you trust your compiler' and related questions. Verifying software on any network-connected computer would even be harder.

    There's only 1 real solution to this problem: consider every computer as compromised. If you want it to be secure, your best bets are pen an paper, or a face-to-face meeting at a rock concert. It's a very annoying concept to consider each and every computer as compromised, but once you get used to it it's a great mental relief.

    Disclaimer: i'm not saying you should forget about applying any computer security (like running a real OS, update, verify, make your BIOS read-only by hardware jumper, etc etc etc). I'm just saying that despite all best effort, principally you should still consider each and every computer compromised.

  3. Re:Socketed Firmware Here We Come by Anonymous Coward · · Score: 0, Insightful

    What a stupid thing to say. You've gone nuts from living in the Slashderp bubble.

  4. Re:Socketed Firmware Here We Come by ArcadeMan · · Score: 3, Insightful

    You can't rootkit the boot ROM of early 8-bit computers. A simple power cycle and your computer is 100% clean.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  5. Re:Socketed Firmware Here We Come by gclef · · Score: 4, Insightful

    Yeah, but it immensely complicates incident recovery. Rebuilding a compromised system isn't enough if you can't trust the BIOS anymore. It's only a matter of time before the compromised BIOS' adapt to re-compromise the new BIOS as it's written, so re-flashing the BIOS of a compromised computer isn't a good long-term fix.

    Does this make a compromised computer basically a paperweight? That's going to turn IT into a really expensive scene really quickly.

  6. Unfortunate consequence of UEFI by dtjohnson · · Score: 5, Insightful

    The Unified Extensible Firmware Interface (UEFI) provides a new platform for malware to execute independently of the OS. There are now UEFI applications, UEFI variables that can store non-volatile data that can be shared between firmware and the OS, EFI system partition, etc. All of these things open gaping security holes into any UEFI system. Systems with the old BIOS and a write jumper on the motherboard were too secure. We don't have that problem any longer...

  7. Re:Socketed Firmware Here We Come by TheGratefulNet · · Score: 3, Insightful

    more than that, we need open source bios, and full disclosure of ALL info about intel and amd chips.

    lets just say, there are rumors about intel holding back design docs (so called 'yellow books') and you won't know ALL there is to know about your computer unless you get inside info about hidden cpu modes and such.

    the chain of trust has so many broken links, we'd have to reinvent computers from the ground up, at this point, to be truly secure. sucks, huh?

    --

    --
    "It is now safe to switch off your computer."