Vulnerabilities / Threats
8/1/2012
01:10 AM
Connect Directly
RSS
E-Mail
50%
50%

Black Hat: Researcher Demonstrates Hardware Backdoor

One security professional shows off techniques for backdooring computer hardware to allow an attack to better hide and be more persistent

While security experts have discussed the potential for compromising firmware with a stealthy backdoor to allow for persistent compromise of a computer, a researcher at the Black Hat security conference last week demonstrated a general version of such an attack.

   
Click here for more of Dark Reading's Black Hat articles.

In a presentation last Thursday, Jonathan Brossard, a security research engineer with consultancy Toucan System, showed off a collection of open-source software and custom-built code -- dubbed Rakshasa -- that allows remote attackers to compromise and control a computer system at the hardware level. While the technique requires physical access to the hardware or remote root on the system, once the attack is complete, the compromise is both stealthy and difficult, if not impossible, to remove.

"If you have an intrusion like this, you would have to physically open your box and ... flash every firmware on your board, including the BIOS," Brossard said. "But since people don't make backups of these things, I just recommend you throw your server away."

Brossard's goal was to make a general backdoor that is capable of surviving not only a reinstallation of the operating system, but also the reflashing of the system firmware, or BIOS. In addition, the attack should be stealthy but allow for remote updates.

Rakshasa can be used on many different platforms because its foundations are not custom code, but legitimate open-source components: Coreboot, a BIOS boot loader; SeaBIOS, an open-source implementation of X86 BIOS; and a set of expansion ROMs to reflash various PCI-enabled peripherals. Because the individual software components are not malicious, the backdoor is hard to detect with antivirus software, Brossard said.

"What we want to do eventually is boot a bootkit from the network, instead of leaving it on the file systems," he said. "From an antivirus perspective the attack surface to detect this code as malicious is basically zero."

The only malicious code is downloaded from the Internet every time the computer boots. When the compromised system starts up, Rakshasa attempts to connect to the Internet using either wireless or wired networking and a variety of protocols. Once a connection is established, it will download a bootkit using a covert channel to a command-and-control server.

For the proof-of-concept attack, Broussard used a commercial bootkit, Kon-boot, which can remove two major exploit defenses on Windows systems: address space layout randomization and the no-execute (NX) bit. On modern-day operating system, these two technologies make exploiting vulnerabilities much more difficult.

"Even if you change your hard drive or remove your operating system, you still very much are going to be owned," he says.

While encryption -- especially via the trusted platform module -- could theoretically be a solution to such an attack by preventing the operating system from accessing protected resources, there are workarounds. The password to the bootable hard drive could be socially engineered from the user by throwing up a login prompt. If a trusted platform module had cryptographically sealed the computer before Rakshasa was installed, then the attacker would have to use the fake login prompt to steal credentials and disinfect the computer.

In the end, users who lack confidence in the security of their computer hardware would have to take steps to prevent such attacks, Broussard said.

"I recommend when you get a new laptop to reflash all these dodgy firmware that you don't understand, and which you can't understand, because it is proprietary, with open-source stuff that you can actually understand," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ronio
50%
50%
Ronio,
User Rank: Apprentice
8/1/2012 | 8:42:29 PM
re: Black Hat: Researcher Demonstrates Hardware Backdoor
done do not reply
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.