Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/14/2013
08:31 AM
50%
50%

Research Into BIOS Attacks Underscores Their Danger

The jury is out on BadBIOS, but malware for motherboards and other hardware is both possible and, with the rise of the Internet of Things, likely

For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior.

The anomalies ranged from system instability, to "bricked" USB sticks and data seemingly modified on the fly, according to online posts. Ruiu, who organizes a number of well-attended security conferences including the current PacSec conference in Tokyo, believes the issues are due to malware infecting the low-level system software, or BIOS, on the machine and has provided hard drive images to other researchers. So far, no one has confirmed the issues.

"I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect," he wrote on Google+ in late October. "This was on a BSD system, so this is definitely not a Windows issue. And it's a low level issue, I didn't even mount the volume and it was infected." Ruiu has not yet responded to requests for comment.

While security experts continue to debate the existence of BadBIOS, no one denies that malware that infects the basic embedded code on computers is a possibility. A number of researchers have, in the past, demonstrated the ability to infect various low level components of computer systems with custom code. In 1998, the CIH, or Chernobyl, virus infected Windows 98 systems and attempted to reflash the BIOS, the basic input/output system, on vulnerabile motherboards. Since then, only a smattering of researchers and attackers have focused on attempting to compromise the low-level system components: In 2006, for example, a researcher demonstrated ways that the Advanced Configuration and Power Interface (ACPI) on newer motherboards could be used as a high-level language to infect the BIOS.

Whether BadBIOS is the natural extension of that evolution is still a question, says Oded Horovitz, CEO of PrivateCore, a startup focusing on data and hardware integrity.

"It's anywhere from an odd reality to a myth," Horovitz says. "Clearly, the concept of the threats circulating around is similar to BadBIOS--re-flashing the firmware and infecting these devices."

Last year, Jonathan Brossard, a security research engineer with consultancy Toucan Systems, demonstrated that a collection of open-source software and purpose-built code could be used to infect a system with hard-to-detect code that is very difficult to remove.

The attack platform, called Rakshasa, infects the system's BIOS, the code that first runs on any computer, but also other firmware on the device, including the code used to start up a computer, to make the code nearly impossible to eradicate from the system. In fact, the code is so difficult to remove that Brossard recommends that someone that suspects BIOS malware on their system simply toss their computer and buy a new one.

"The whole concept of such malware is that, if you cannot trust your BIOS, you cannot trust your operating system, and if you cannot trust your operating system, then you cannot trust any calculations or anything you do on the system," Brossard says.

Researchers and attackers focus on BIOS and other firmware because it is the first code to run, is hard to change and changes are difficult to detect.

[Researchers expect to release proofs-of-concept at Black Hat that show how malware can infect BIOS, persist past updates, and fool the TPM into thinking everything's fine. See BIOS Bummer: New Malware Can Bypass BIOS Security.]

Erecting defenses to firmware-level attacks is difficult, even on systems with the Trusted Platform Module, cryptographic hardware designed to allow a system to check and attest to its integrity. In a presentation at the Black Hat Conference in July, three researchers from Mitre showed that the access controls that protect BIOS could be circumvented.

A major part of the issue is that the developers who write code for BIOS, firmware, and embedded devices are generally not practiced in writing secure code, says Robert Graham, CEO of security consultancy Errata Security. Many of the methods, such as the Secure Development Lifecycle, that have made code more secure in the operating-system and PC-application world have not yet become standard practice in the embedded device and firmware community.

"The people who write code for embedded devices write really bad code," he says. "You look at drivers or the firmware, there is none of the modern security practices."

That does not mean that an attack like BadBIOS is real, he says. Despite the fact that an attack such as BadBIOS is feasible, it could easily be some strange hardware issues, Graham adds.

On the other hand, it could be that Ruiu has discovered an interesting attack, he says. While the scale of the campaign seems impractical because of the number of different hardware motherboards that would require custom code, dedicated attackers could accomplish such a feat.

"One thing that could be happening here that some virus has been doing this for a number of years and we never noticed," he says. "Dragos could simply be noticing something that other people have overlooked."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmccarthy926
50%
50%
jmccarthy926,
User Rank: Apprentice
11/15/2013 | 7:27:19 PM
re: Research Into BIOS Attacks Underscores Their Danger
Well, there seems to be a whole lot of heat and not much light around this issue.

The Raspberry Pi does not have a BIOS. It must boot from the SD card. The USB daemon can be thoroughly instrumented. If Bigfoot really does exist, why can't an infected USB drive be plugged into a Raspberry Pi in order to observe its behavior?
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...