Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/14/2013
08:31 AM
50%
50%

Research Into BIOS Attacks Underscores Their Danger

The jury is out on BadBIOS, but malware for motherboards and other hardware is both possible and, with the rise of the Internet of Things, likely

For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior.

The anomalies ranged from system instability, to "bricked" USB sticks and data seemingly modified on the fly, according to online posts. Ruiu, who organizes a number of well-attended security conferences including the current PacSec conference in Tokyo, believes the issues are due to malware infecting the low-level system software, or BIOS, on the machine and has provided hard drive images to other researchers. So far, no one has confirmed the issues.

"I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect," he wrote on Google+ in late October. "This was on a BSD system, so this is definitely not a Windows issue. And it's a low level issue, I didn't even mount the volume and it was infected." Ruiu has not yet responded to requests for comment.

While security experts continue to debate the existence of BadBIOS, no one denies that malware that infects the basic embedded code on computers is a possibility. A number of researchers have, in the past, demonstrated the ability to infect various low level components of computer systems with custom code. In 1998, the CIH, or Chernobyl, virus infected Windows 98 systems and attempted to reflash the BIOS, the basic input/output system, on vulnerabile motherboards. Since then, only a smattering of researchers and attackers have focused on attempting to compromise the low-level system components: In 2006, for example, a researcher demonstrated ways that the Advanced Configuration and Power Interface (ACPI) on newer motherboards could be used as a high-level language to infect the BIOS.

Whether BadBIOS is the natural extension of that evolution is still a question, says Oded Horovitz, CEO of PrivateCore, a startup focusing on data and hardware integrity.

"It's anywhere from an odd reality to a myth," Horovitz says. "Clearly, the concept of the threats circulating around is similar to BadBIOS--re-flashing the firmware and infecting these devices."

Last year, Jonathan Brossard, a security research engineer with consultancy Toucan Systems, demonstrated that a collection of open-source software and purpose-built code could be used to infect a system with hard-to-detect code that is very difficult to remove.

The attack platform, called Rakshasa, infects the system's BIOS, the code that first runs on any computer, but also other firmware on the device, including the code used to start up a computer, to make the code nearly impossible to eradicate from the system. In fact, the code is so difficult to remove that Brossard recommends that someone that suspects BIOS malware on their system simply toss their computer and buy a new one.

"The whole concept of such malware is that, if you cannot trust your BIOS, you cannot trust your operating system, and if you cannot trust your operating system, then you cannot trust any calculations or anything you do on the system," Brossard says.

Researchers and attackers focus on BIOS and other firmware because it is the first code to run, is hard to change and changes are difficult to detect.

[Researchers expect to release proofs-of-concept at Black Hat that show how malware can infect BIOS, persist past updates, and fool the TPM into thinking everything's fine. See BIOS Bummer: New Malware Can Bypass BIOS Security.]

Erecting defenses to firmware-level attacks is difficult, even on systems with the Trusted Platform Module, cryptographic hardware designed to allow a system to check and attest to its integrity. In a presentation at the Black Hat Conference in July, three researchers from Mitre showed that the access controls that protect BIOS could be circumvented.

A major part of the issue is that the developers who write code for BIOS, firmware, and embedded devices are generally not practiced in writing secure code, says Robert Graham, CEO of security consultancy Errata Security. Many of the methods, such as the Secure Development Lifecycle, that have made code more secure in the operating-system and PC-application world have not yet become standard practice in the embedded device and firmware community.

"The people who write code for embedded devices write really bad code," he says. "You look at drivers or the firmware, there is none of the modern security practices."

That does not mean that an attack like BadBIOS is real, he says. Despite the fact that an attack such as BadBIOS is feasible, it could easily be some strange hardware issues, Graham adds.

On the other hand, it could be that Ruiu has discovered an interesting attack, he says. While the scale of the campaign seems impractical because of the number of different hardware motherboards that would require custom code, dedicated attackers could accomplish such a feat.

"One thing that could be happening here that some virus has been doing this for a number of years and we never noticed," he says. "Dragos could simply be noticing something that other people have overlooked."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmccarthy926
50%
50%
jmccarthy926,
User Rank: Apprentice
11/15/2013 | 7:27:19 PM
re: Research Into BIOS Attacks Underscores Their Danger
Well, there seems to be a whole lot of heat and not much light around this issue.

The Raspberry Pi does not have a BIOS. It must boot from the SD card. The USB daemon can be thoroughly instrumented. If Bigfoot really does exist, why can't an infected USB drive be plugged into a Raspberry Pi in order to observe its behavior?
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3656
PUBLISHED: 2019-12-10
JBoss KeyCloak: XSS in login-status-iframe.html
CVE-2013-0293
PUBLISHED: 2019-12-10
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
CVE-2013-1793
PUBLISHED: 2019-12-10
openstack-utils openstack-db has insecure password creation
CVE-2013-2095
PUBLISHED: 2019-12-10
rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.