Vulnerabilities / Threats
11/14/2013
08:31 AM
50%
50%

Research Into BIOS Attacks Underscores Their Danger

The jury is out on BadBIOS, but malware for motherboards and other hardware is both possible and, with the rise of the Internet of Things, likely

For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior.

The anomalies ranged from system instability, to "bricked" USB sticks and data seemingly modified on the fly, according to online posts. Ruiu, who organizes a number of well-attended security conferences including the current PacSec conference in Tokyo, believes the issues are due to malware infecting the low-level system software, or BIOS, on the machine and has provided hard drive images to other researchers. So far, no one has confirmed the issues.

"I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect," he wrote on Google+ in late October. "This was on a BSD system, so this is definitely not a Windows issue. And it's a low level issue, I didn't even mount the volume and it was infected." Ruiu has not yet responded to requests for comment.

While security experts continue to debate the existence of BadBIOS, no one denies that malware that infects the basic embedded code on computers is a possibility. A number of researchers have, in the past, demonstrated the ability to infect various low level components of computer systems with custom code. In 1998, the CIH, or Chernobyl, virus infected Windows 98 systems and attempted to reflash the BIOS, the basic input/output system, on vulnerabile motherboards. Since then, only a smattering of researchers and attackers have focused on attempting to compromise the low-level system components: In 2006, for example, a researcher demonstrated ways that the Advanced Configuration and Power Interface (ACPI) on newer motherboards could be used as a high-level language to infect the BIOS.

Whether BadBIOS is the natural extension of that evolution is still a question, says Oded Horovitz, CEO of PrivateCore, a startup focusing on data and hardware integrity.

"It's anywhere from an odd reality to a myth," Horovitz says. "Clearly, the concept of the threats circulating around is similar to BadBIOS--re-flashing the firmware and infecting these devices."

Last year, Jonathan Brossard, a security research engineer with consultancy Toucan Systems, demonstrated that a collection of open-source software and purpose-built code could be used to infect a system with hard-to-detect code that is very difficult to remove.

The attack platform, called Rakshasa, infects the system's BIOS, the code that first runs on any computer, but also other firmware on the device, including the code used to start up a computer, to make the code nearly impossible to eradicate from the system. In fact, the code is so difficult to remove that Brossard recommends that someone that suspects BIOS malware on their system simply toss their computer and buy a new one.

"The whole concept of such malware is that, if you cannot trust your BIOS, you cannot trust your operating system, and if you cannot trust your operating system, then you cannot trust any calculations or anything you do on the system," Brossard says.

Researchers and attackers focus on BIOS and other firmware because it is the first code to run, is hard to change and changes are difficult to detect.

[Researchers expect to release proofs-of-concept at Black Hat that show how malware can infect BIOS, persist past updates, and fool the TPM into thinking everything's fine. See BIOS Bummer: New Malware Can Bypass BIOS Security.]

Erecting defenses to firmware-level attacks is difficult, even on systems with the Trusted Platform Module, cryptographic hardware designed to allow a system to check and attest to its integrity. In a presentation at the Black Hat Conference in July, three researchers from Mitre showed that the access controls that protect BIOS could be circumvented.

A major part of the issue is that the developers who write code for BIOS, firmware, and embedded devices are generally not practiced in writing secure code, says Robert Graham, CEO of security consultancy Errata Security. Many of the methods, such as the Secure Development Lifecycle, that have made code more secure in the operating-system and PC-application world have not yet become standard practice in the embedded device and firmware community.

"The people who write code for embedded devices write really bad code," he says. "You look at drivers or the firmware, there is none of the modern security practices."

That does not mean that an attack like BadBIOS is real, he says. Despite the fact that an attack such as BadBIOS is feasible, it could easily be some strange hardware issues, Graham adds.

On the other hand, it could be that Ruiu has discovered an interesting attack, he says. While the scale of the campaign seems impractical because of the number of different hardware motherboards that would require custom code, dedicated attackers could accomplish such a feat.

"One thing that could be happening here that some virus has been doing this for a number of years and we never noticed," he says. "Dragos could simply be noticing something that other people have overlooked."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmccarthy926
50%
50%
jmccarthy926,
User Rank: Apprentice
11/15/2013 | 7:27:19 PM
re: Research Into BIOS Attacks Underscores Their Danger
Well, there seems to be a whole lot of heat and not much light around this issue.

The Raspberry Pi does not have a BIOS. It must boot from the SD card. The USB daemon can be thoroughly instrumented. If Bigfoot really does exist, why can't an infected USB drive be plugged into a Raspberry Pi in order to observe its behavior?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.