Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:10 AM

Black Hat: Researcher Demonstrates Hardware Backdoor

One security professional shows off techniques for backdooring computer hardware to allow an attack to better hide and be more persistent

While security experts have discussed the potential for compromising firmware with a stealthy backdoor to allow for persistent compromise of a computer, a researcher at the Black Hat security conference last week demonstrated a general version of such an attack.

Click here for more of Dark Reading's Black Hat articles.

In a presentation last Thursday, Jonathan Brossard, a security research engineer with consultancy Toucan System, showed off a collection of open-source software and custom-built code -- dubbed Rakshasa -- that allows remote attackers to compromise and control a computer system at the hardware level. While the technique requires physical access to the hardware or remote root on the system, once the attack is complete, the compromise is both stealthy and difficult, if not impossible, to remove.

"If you have an intrusion like this, you would have to physically open your box and ... flash every firmware on your board, including the BIOS," Brossard said. "But since people don't make backups of these things, I just recommend you throw your server away."

Brossard's goal was to make a general backdoor that is capable of surviving not only a reinstallation of the operating system, but also the reflashing of the system firmware, or BIOS. In addition, the attack should be stealthy but allow for remote updates.

Rakshasa can be used on many different platforms because its foundations are not custom code, but legitimate open-source components: Coreboot, a BIOS boot loader; SeaBIOS, an open-source implementation of X86 BIOS; and a set of expansion ROMs to reflash various PCI-enabled peripherals. Because the individual software components are not malicious, the backdoor is hard to detect with antivirus software, Brossard said.

"What we want to do eventually is boot a bootkit from the network, instead of leaving it on the file systems," he said. "From an antivirus perspective the attack surface to detect this code as malicious is basically zero."

The only malicious code is downloaded from the Internet every time the computer boots. When the compromised system starts up, Rakshasa attempts to connect to the Internet using either wireless or wired networking and a variety of protocols. Once a connection is established, it will download a bootkit using a covert channel to a command-and-control server.

For the proof-of-concept attack, Broussard used a commercial bootkit, Kon-boot, which can remove two major exploit defenses on Windows systems: address space layout randomization and the no-execute (NX) bit. On modern-day operating system, these two technologies make exploiting vulnerabilities much more difficult.

"Even if you change your hard drive or remove your operating system, you still very much are going to be owned," he says.

While encryption -- especially via the trusted platform module -- could theoretically be a solution to such an attack by preventing the operating system from accessing protected resources, there are workarounds. The password to the bootable hard drive could be socially engineered from the user by throwing up a login prompt. If a trusted platform module had cryptographically sealed the computer before Rakshasa was installed, then the attacker would have to use the fake login prompt to steal credentials and disinfect the computer.

In the end, users who lack confidence in the security of their computer hardware would have to take steps to prevent such attacks, Broussard said.

"I recommend when you get a new laptop to reflash all these dodgy firmware that you don't understand, and which you can't understand, because it is proprietary, with open-source stuff that you can actually understand," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
8/1/2012 | 8:42:29 PM
re: Black Hat: Researcher Demonstrates Hardware Backdoor
done do not reply
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...
PUBLISHED: 2020-11-25
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) co...
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on...