The ability to hack the BIOS chip at the heart of every computer is no longer reserved for the NSA and other three-letter agencies. Millions of machines contain basic BIOS vulnerabilities that letanyone with moderately sophisticated hacking skills compromise and control a system surreptitiously, according to two researchers.
The revelation comes two years after a catalogue of NSA spy tools leaked to journalists in Germany surprised everyone with its talk about the NSAs efforts to infect BIOS firmware with malicious implants.
The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computers operating system were wiped and re-installed.
BIOS-hacking until now has been largely the domain of advanced hackers like those of the NSA. But researchers Xeno Kovah and Corey Kallenberg presented a proof-of-concept attack today at the CanSecWest conference in Vancouver, showing how they could remotely infect the BIOS of multiple systems using a host of new vulnerabilities that took them just hours to uncover. They also found a way to gain high-level system privileges for their BIOS malware to undermine the security of specializedoperating systems like Tailsused by journalists and activists for stealth communications and handling sensitive data.
Although most BIOS have protections to prevent unauthorized modifications, the researchers were able to bypass these to reflash the BIOS and implant their malicious code.
Kovah and Kallenberg recently left MITRE, a government contractor that conducts research for the Defense Department and other federal agencies, to launch LegbaCore, a firmware security consultancy. They note that the recent discovery of a firmware-hacking toolby Kaspersky Lab researchers makes it clear that firmware hacking like their BIOS demo is something the security community should be focusing on.
Because many BIOS share some of the same code, they were able to uncover vulnerabilities in 80 percent of the PCs they examined, including ones from Dell, Lenovo and HP. The vulnerabilities, which theyre calling incursion vulnerabilities, were so easy to find that they wrote a script to automate the process and eventuallystopped counting the vulns it uncovered because there were too many.
Theres one type of vulnerability, which theres literally dozens of instances of it in every given BIOS, says Kovah. They disclosed the vulnerabilities to the vendors and patches are in the works but have not yet been released. Kovah says, however, that even when vendors have produced BIOS patches in the past, few peoplehave applied them.
Because people havent been patching their BIOSes, all of the vulnerabilities that have been disclosed over the last couple of years are all open and available to an attacker, he notes. We spent the last couple of years at MITRE running around to companies trying to get them to do patches. They think BIOS is out of sight out of mind [because] they dont hear a lot about it being attacked in the wild.
An attacker could compromise the BIOS in two waysthrough remote exploitation by delivering the attack code via a phishing email or some other method, or through physical interdiction of a system. In that case, the researchers found that if they had physical access to a system they could infect the BIOS on some machines in just two minutes. This highlights just how quickly and easy it would be, for example, for a government agent or law enforcement officer with a moments access to a system to compromise it.
Read this article:
Researchers Uncover Way to Hack BIOS and Undermine Secure Operating Systems