Persistent BIOS Rootkit Implant To Debut At CanSecWest

← Back to Stories (view on slashdot.org)

Persistent BIOS Rootkit Implant To Debut At CanSecWest

Posted by timothy on Thursday March 19, 2015 @01:27AM from the deep-in-the-tunnels dept.

msm1267 writes Research on new BIOS vulnerabilities and a working rootkit implant will be presented on Friday at the annual CanSecWest security conference. An attacker with existing remote access on a compromised computer can use the implant to turn down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed. The devious part of the exploit is that the researchers have found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure and privacy focused operating systems such as Tails in the line of fire of the implant.

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails' built-in protections, including its capability of wiping RAM.

3 of 120 comments (clear)

Min score:

Reason:

Sort:

We desperately need unflashable firmwares by Anonymous Coward · 2015-03-19 01:46 · Score: 5, Insightful

I'm afraid of plugging my USB drives around, I'm using a fairly obscure UEFI/BIOS on my main computer in hopes that nobody has bothered to write an exploit for it yet.
But what I'd really like to see is a hardware protection against flashing. On USB, on hard drives, on the motherboard, on anything that could possibly be flashed. And no, cryptographically signed updates aren't going to cut it. It's more than feasibly to steal or crack weak keys.
1. Re:We desperately need unflashable firmwares by TheReaperD · 2015-03-19 02:03 · Score: 5, Insightful
  
  What's infuriating is that USB drives used to come with hardware write switches and now you can't find them anywhere. And motherboards used to require you to move a jumper to flash the BIOS but, those are gone too. I don't know if it was cost cutting or a case of user stupidity or both but, the hardware write switch has faded into history. I'm fine with the being in a default-write setup as long as they had the option to cut it off.
  
  --
  "Be particularly skeptical when presented with evidence confirming what you already believe." -
Unfortunate consequence of UEFI by dtjohnson · 2015-03-19 03:03 · Score: 5, Insightful

The Unified Extensible Firmware Interface (UEFI) provides a new platform for malware to execute independently of the OS. There are now UEFI applications, UEFI variables that can store non-volatile data that can be shared between firmware and the OS, EFI system partition, etc. All of these things open gaping security holes into any UEFI system. Systems with the old BIOS and a write jumper on the motherboard were too secure. We don't have that problem any longer...