Vulnerabilities / Threats

01:10 AM

Black Hat: Researcher Demonstrates Hardware Backdoor

One security professional shows off techniques for backdooring computer hardware to allow an attack to better hide and be more persistent

While security experts have discussed the potential for compromising firmware with a stealthy backdoor to allow for persistent compromise of a computer, a researcher at the Black Hat security conference last week demonstrated a general version of such an attack.

Click here for more of Dark Reading's Black Hat articles.

In a presentation last Thursday, Jonathan Brossard, a security research engineer with consultancy Toucan System, showed off a collection of open-source software and custom-built code -- dubbed Rakshasa -- that allows remote attackers to compromise and control a computer system at the hardware level. While the technique requires physical access to the hardware or remote root on the system, once the attack is complete, the compromise is both stealthy and difficult, if not impossible, to remove.

"If you have an intrusion like this, you would have to physically open your box and ... flash every firmware on your board, including the BIOS," Brossard said. "But since people don't make backups of these things, I just recommend you throw your server away."

Brossard's goal was to make a general backdoor that is capable of surviving not only a reinstallation of the operating system, but also the reflashing of the system firmware, or BIOS. In addition, the attack should be stealthy but allow for remote updates.

Rakshasa can be used on many different platforms because its foundations are not custom code, but legitimate open-source components: Coreboot, a BIOS boot loader; SeaBIOS, an open-source implementation of X86 BIOS; and a set of expansion ROMs to reflash various PCI-enabled peripherals. Because the individual software components are not malicious, the backdoor is hard to detect with antivirus software, Brossard said.

"What we want to do eventually is boot a bootkit from the network, instead of leaving it on the file systems," he said. "From an antivirus perspective the attack surface to detect this code as malicious is basically zero."

The only malicious code is downloaded from the Internet every time the computer boots. When the compromised system starts up, Rakshasa attempts to connect to the Internet using either wireless or wired networking and a variety of protocols. Once a connection is established, it will download a bootkit using a covert channel to a command-and-control server.

For the proof-of-concept attack, Broussard used a commercial bootkit, Kon-boot, which can remove two major exploit defenses on Windows systems: address space layout randomization and the no-execute (NX) bit. On modern-day operating system, these two technologies make exploiting vulnerabilities much more difficult.

"Even if you change your hard drive or remove your operating system, you still very much are going to be owned," he says.

While encryption -- especially via the trusted platform module -- could theoretically be a solution to such an attack by preventing the operating system from accessing protected resources, there are workarounds. The password to the bootable hard drive could be socially engineered from the user by throwing up a login prompt. If a trusted platform module had cryptographically sealed the computer before Rakshasa was installed, then the attacker would have to use the fake login prompt to steal credentials and disinfect the computer.

In the end, users who lack confidence in the security of their computer hardware would have to take steps to prevent such attacks, Broussard said.

"I recommend when you get a new laptop to reflash all these dodgy firmware that you don't understand, and which you can't understand, because it is proprietary, with open-source stuff that you can actually understand," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/1/2012 | 8:42:29 PM
re: Black Hat: Researcher Demonstrates Hardware Backdoor
done do not reply
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Executive Editor, Technical Content,  3/20/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.