Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:10 AM

Black Hat: Researcher Demonstrates Hardware Backdoor

One security professional shows off techniques for backdooring computer hardware to allow an attack to better hide and be more persistent

While security experts have discussed the potential for compromising firmware with a stealthy backdoor to allow for persistent compromise of a computer, a researcher at the Black Hat security conference last week demonstrated a general version of such an attack.

Click here for more of Dark Reading's Black Hat articles.

In a presentation last Thursday, Jonathan Brossard, a security research engineer with consultancy Toucan System, showed off a collection of open-source software and custom-built code -- dubbed Rakshasa -- that allows remote attackers to compromise and control a computer system at the hardware level. While the technique requires physical access to the hardware or remote root on the system, once the attack is complete, the compromise is both stealthy and difficult, if not impossible, to remove.

"If you have an intrusion like this, you would have to physically open your box and ... flash every firmware on your board, including the BIOS," Brossard said. "But since people don't make backups of these things, I just recommend you throw your server away."

Brossard's goal was to make a general backdoor that is capable of surviving not only a reinstallation of the operating system, but also the reflashing of the system firmware, or BIOS. In addition, the attack should be stealthy but allow for remote updates.

Rakshasa can be used on many different platforms because its foundations are not custom code, but legitimate open-source components: Coreboot, a BIOS boot loader; SeaBIOS, an open-source implementation of X86 BIOS; and a set of expansion ROMs to reflash various PCI-enabled peripherals. Because the individual software components are not malicious, the backdoor is hard to detect with antivirus software, Brossard said.

"What we want to do eventually is boot a bootkit from the network, instead of leaving it on the file systems," he said. "From an antivirus perspective the attack surface to detect this code as malicious is basically zero."

The only malicious code is downloaded from the Internet every time the computer boots. When the compromised system starts up, Rakshasa attempts to connect to the Internet using either wireless or wired networking and a variety of protocols. Once a connection is established, it will download a bootkit using a covert channel to a command-and-control server.

For the proof-of-concept attack, Broussard used a commercial bootkit, Kon-boot, which can remove two major exploit defenses on Windows systems: address space layout randomization and the no-execute (NX) bit. On modern-day operating system, these two technologies make exploiting vulnerabilities much more difficult.

"Even if you change your hard drive or remove your operating system, you still very much are going to be owned," he says.

While encryption -- especially via the trusted platform module -- could theoretically be a solution to such an attack by preventing the operating system from accessing protected resources, there are workarounds. The password to the bootable hard drive could be socially engineered from the user by throwing up a login prompt. If a trusted platform module had cryptographically sealed the computer before Rakshasa was installed, then the attacker would have to use the fake login prompt to steal credentials and disinfect the computer.

In the end, users who lack confidence in the security of their computer hardware would have to take steps to prevent such attacks, Broussard said.

"I recommend when you get a new laptop to reflash all these dodgy firmware that you don't understand, and which you can't understand, because it is proprietary, with open-source stuff that you can actually understand," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/1/2012 | 8:42:29 PM
re: Black Hat: Researcher Demonstrates Hardware Backdoor
done do not reply
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software* U...