Slashdot Mirror

← Back to Stories (view on slashdot.org)

Persistent BIOS Rootkit Implant To Debut At CanSecWest

Posted by timothy on from the deep-in-the-tunnels dept.

msm1267 writes Research on new BIOS vulnerabilities and a working rootkit implant will be presented on Friday at the annual CanSecWest security conference. An attacker with existing remote access on a compromised computer can use the implant to turn down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed. The devious part of the exploit is that the researchers have found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure and privacy focused operating systems such as Tails in the line of fire of the implant.

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails' built-in protections, including its capability of wiping RAM.

21 of 120 comments (clear)

  1. Socketed Firmware Here We Come by BoRegardless · · Score: 3, Interesting

    It's getting to where you don't trust ANYTHING.

    1. Re:Socketed Firmware Here We Come by Kkloe · · Score: 2

      thats is if you ever believed that computer were 100% secure

    2. Re:Socketed Firmware Here We Come by courteaudotbiz · · Score: 3, Informative

      If you read TFA, it says the attacker has to already have access to the remote computer to root the system, so being cautious in the first place should be OK, or at least sandboxing your hazardous activities in a VM could do the trick.

    3. Re:Socketed Firmware Here We Come by ArcadeMan · · Score: 3, Insightful

      You can't rootkit the boot ROM of early 8-bit computers. A simple power cycle and your computer is 100% clean.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    4. Re:Socketed Firmware Here We Come by gclef · · Score: 4, Insightful

      Yeah, but it immensely complicates incident recovery. Rebuilding a compromised system isn't enough if you can't trust the BIOS anymore. It's only a matter of time before the compromised BIOS' adapt to re-compromise the new BIOS as it's written, so re-flashing the BIOS of a compromised computer isn't a good long-term fix.

      Does this make a compromised computer basically a paperweight? That's going to turn IT into a really expensive scene really quickly.

    5. Re:Socketed Firmware Here We Come by Holi · · Score: 2

      Let me grab my latest hacking tool.

      "Hey, can you hand me that wrench"

      "Now, where were we, oh yeah, which is your favorite knee again?"

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    6. Re:Socketed Firmware Here We Come by courteaudotbiz · · Score: 2

      I think "safe browsing" depends on your paranoia level. You can always be more paranoid, but until I see this BIOS flashing attack grow to a large scale, browsing to serious, public, common websites seems to be still pretty safe. If you think you can be targeted by GCHQ/NSA-esque organisations, then you can increase your paranoia level.

    7. Re:Socketed Firmware Here We Come by TheGratefulNet · · Score: 3, Insightful

      more than that, we need open source bios, and full disclosure of ALL info about intel and amd chips.

      lets just say, there are rumors about intel holding back design docs (so called 'yellow books') and you won't know ALL there is to know about your computer unless you get inside info about hidden cpu modes and such.

      the chain of trust has so many broken links, we'd have to reinvent computers from the ground up, at this point, to be truly secure. sucks, huh?

      --

      --
      "It is now safe to switch off your computer."
  2. We desperately need unflashable firmwares by Anonymous Coward · · Score: 5, Insightful

    I'm afraid of plugging my USB drives around, I'm using a fairly obscure UEFI/BIOS on my main computer in hopes that nobody has bothered to write an exploit for it yet.

    But what I'd really like to see is a hardware protection against flashing. On USB, on hard drives, on the motherboard, on anything that could possibly be flashed. And no, cryptographically signed updates aren't going to cut it. It's more than feasibly to steal or crack weak keys.

    1. Re:We desperately need unflashable firmwares by jeffb+(2.718) · · Score: 4, Interesting

      This. Even if you can't stand to mar your product's sleek lines with a ghastly physical switch, would it be that hard to put a reed switch somewhere along the periphery of the device, so that nobody can flash the firmware unless you first put the Big Honking Update Magnet next to it?

    2. Re:We desperately need unflashable firmwares by TheReaperD · · Score: 5, Insightful

      What's infuriating is that USB drives used to come with hardware write switches and now you can't find them anywhere. And motherboards used to require you to move a jumper to flash the BIOS but, those are gone too. I don't know if it was cost cutting or a case of user stupidity or both but, the hardware write switch has faded into history. I'm fine with the being in a default-write setup as long as they had the option to cut it off.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    3. Re:We desperately need unflashable firmwares by denis-The-menace · · Score: 4, Informative

      Kanguru SS3â with Physical Write Protect Switch
      High-Performance USB3.0 Flash Drive

      http://kanguru.com/storage-acc...

      I agree with you. WP should but the standard, not the esoteric.

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    4. Re:We desperately need unflashable firmwares by sumdumass · · Score: 3, Interesting

      Wouldn't it just be easier to have a dip switch and require cracking the case open to flash the bios? At least then, a switch can detect the case opening and send a signal to something or tick a counter that can be checked every once in a while easily.

      A magnet would likely not provide the same level of obviousness. For instance, would you be noticed if you opened the case more easily than if you put a magnet on the side of the case? I know that as a kid, i was able to cut a small square of fridge magnet and combine it with a broken rare earth magnet and place on top of the reed switch for our security alarm so i could sneak out and back in without tripping our alarm system or having the record of my code being entered. Of course i had the benifit of being able to experiment by looking at the alarm pannel until the door read closed while it was open and testing it. But i do not think someone smarter than me with physical access couldn't do something similar with other tools availible. But magnets are common in the office (paperclip holders, speakers, phone parts) and not too dificult to conceal.

    5. Re:We desperately need unflashable firmwares by John_Sauter · · Score: 2

      What's infuriating is that USB drives used to come with hardware write switches and now you can't find them anywhere. And motherboards used to require you to move a jumper to flash the BIOS but, those are gone too. I don't know if it was cost cutting or a case of user stupidity or both but, the hardware write switch has faded into history. I'm fine with the being in a default-write setup as long as they had the option to cut it off.

      A third possibility is that the NSA and their friends abroad might have pressured the manufacturers to remove these security features. The pressure might have subtle, like pointing out "good" places for cost savings.

  3. Amiga Clock virus.. by Bonzoli · · Score: 3, Interesting

    This isn't anything new, Amiga in the 90's had a CMOS happy virus that used the battery power to stay in memory. It wasn't in the clock but rewrote that area of the working bios to stay resident. I remember having to take the battery out of my A500 to get rid of it, as it survived reboots and power offs.
    UEFI bio is going to be a real hassle going forward, its going to be much easier to write something for this vs the older bios with all of its limitations. USB controller firmware, Bridge firmware, controller firmware, soon to be memory controller firmware like Power8, ethernet, ssd/hd firmware, and sound card firmware. There are a lot of places if you can inject your version during the download update to the customer where harm can be done.

    1. Re:Amiga Clock virus.. by ArcadeMan · · Score: 3, Interesting

      But integrated parts means more complex firmwares which means more places to store trojans, viruses and spyware.

      Think systemd.

      --
      Get free satoshi (Bitcoin) and Dogecoins
  4. New antivirus alert message - "Toss your mother.." by funkymonkjay · · Score: 2

    "Oh nevermind.. false alarm.. all is well. go about your business" as your feeble AV tool is gagged and bound by the new BIOS.

  5. Unfortunate consequence of UEFI by dtjohnson · · Score: 5, Insightful

    The Unified Extensible Firmware Interface (UEFI) provides a new platform for malware to execute independently of the OS. There are now UEFI applications, UEFI variables that can store non-volatile data that can be shared between firmware and the OS, EFI system partition, etc. All of these things open gaping security holes into any UEFI system. Systems with the old BIOS and a write jumper on the motherboard were too secure. We don't have that problem any longer...

  6. You can take a horse to the water ... by michaelamerz · · Score: 3, Interesting

    .. but you can't make it drink. I am doing IT security for almost 30 years. I've been an advisor to the highest government branches, I have lectured on countless occasions in front of hundreds if not thousands of people. I have developed security software and environments. And all I can say is: Most people simply don't give a damn. Sure - they listen to what one has to say. And they even promise to change or adapt the way they do things. But after just a few days they've forgotten all of it. Because being safe(r) is inconvenient.
    People are just not getting it. They don't delete cookies or browser caches (I don't want to have login to facebook all the time) they send even the most personal or confidential data via unsecured email (why would somebody else read this email), they store their whole life or business data on dropbox, Google Drive or comparable services and they sync all of their cell phone content, phone numbers and contact data. It doesn't hurt if someone steals your data. You don't feel it, if a government monitors your every move. And the classic: I ain't got nothing to hide. CEOs told me: The government should be responsible to protect my data - why should I pay for it? Though they spent thousands of dollars on a state of the art security system for their offices - they don't feel it to be necessary to spend money to train their employees or to purchase technology to protect their data.
    The Snowden leaks didn't help - quite the opposite happened: People are now saying: There's nothing one can do anyway. What the government wants, the government gets. Why bother to protect the data? Most people actually believe encryption to be worthless because the NSA can hack it anyway. In conclusion: I have stopped to try to convince the general population that they can have a safe(r) digital life. I am supporting those who really want to keep their data protected. So - before starting to worry about BIOS hacks - check the other 99.999% of vulnerabilities that are much easier to exploit. As usual: Just my two cents.

  7. Software freedom for all software. by jbn-o · · Score: 2

    Firmware is software and computer users still need software freedom for all published software. This hasn't changed since Richard Stallman reached conclusions about the ethics of software over 30 years ago. Changing what device the software is loaded into or the form it takes when loaded doesn't change any of the underlying issues that all have to do with how people treat each other. This is also not an issue to be properly understood by "open source" focus on convenience, caving into business desires, or developmental methodology.

    --
    Digital Citizen
  8. Mitigations by Burz · · Score: 2

    Qubes OS will detect this type of attack, and in most cases prevent it. It can also protect you against badUSB if you create a USBVM to handle the USB controllers.

    Detection comes via the Anti-Evil Maid package, which uses a TPM to measure the system firmware, bootloader, kernel and hypervisor. It optionally can create a USB thumbdrive for booting Qubes in AEM mode. (AEM should *always* detect a compromised base system, but using a thumbdrive can help prevent an attack from succeeding in an 'Evil Maid' scenario.)

    Qubes uses Xen, a type 1 bare-metal hypervisor with a miniscule attack surface, and uses that as a chokepoint to regulate ALL system activity (including network and graphics) in a way other OSes do not. Graphics is one of the weaknesses in VM host security that enables 'VM Breakout' escalation attacks. In using VMs for all sensitive functions, remote attacks are highly unlikely to escalate and take over the core system or firmware.