When the National Security Agency’s ANT division catalog of surveillance tools was disclosed among the myriad of Snowden revelations, its desire to implant malware into the BIOS of targeted machines was unquestionable.

While there’s little evidence of BIOS bootkits in the wild, the ANT catalog and the recent disclosure of the Equation Group’s cyberespionage platform, in particular module NLS_933W.DLL that reprograms firmware from most major vendors, leave little doubt that attacks against hardware are leaving the realm of academics and white hats.

Tomorrow at the CanSecWest conference in Vancouver, researchers Corey Kallenberg and Xeno Kovah, formerly of MITRE and founders of startup LegbaCore, will deliver research on new BIOS vulnerabilities and present a working rootkit implant into BIOS.

“Most BIOS have protections from modifications,” Kallenberg told Threatpost. “We found a way to automate the discovery of vulnerabilities this space and break past those protections.”

Kallenberg said an attacker would need to already have remote access to a compromised computer in order to execute the implant and elevate privileges on the machine through the hardware. Their exploit turns down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed.

The devious part of their exploit is that they’ve found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure operating systems such as Tails in the line of fire of the implant.

Tails is a privacy-focused operating system that runs off removable media, such as USB stick, and whose aim is privacy and anonymity.

“The idea is that if the OS is compromised by an implant, it’s OK to use Tails for communication (all Internet connections are made through the Tor browser) because it’s shielded from the malware that hit the main operating system,” Kallenberg said. “What the implant does is it waits for Tails to boot and scrapes sensitive data out of memory and exfiltrates it out. Our agent listens in the background, Tails doesn’t see it.”

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails’ built-in protections, including its capability of wiping RAM.

“We store data in a non-volatile area and it’s not erased,” Kallenberg said. “The idea is to make it obvious that these secure boot disk style things are architecturally vulnerable to attackers who come at you from the BIOS level space.”

Kovah said that architectural changes to the BIOS successor UEFI introduced modularity in order to simplify development. But that modularity, which is spelled out in the open source reference implementation of UEFI, is what can be abused. It’s also what many vendors have based their code on.

Kovah explained that common code exists in the BIOS variants from different vendors, and that code makes it possible to reliably install implants across the different makes and models.

“The open source reference implementation explains how data is passed and there are well-defined locations where to transfer internally to the BIOS,” Kovah said. “You can look at the open source reference to look for patterns and see where the same data exists in closed source versions. Those common reference points define hook locations.”

An attacker may place code at those locations, Kovah said, and that up to 100 models from five vendors all share the same code or variants of the same code.

“Because of that, you can reliably automate the search of strings for hooking, place hooks, and insert code,” Kovah said.

Kovah said an attacker, criminal or nation-state, can also infect the BIOS with physical access to a computer, such as at a border crossing. In a demo shared with Threatpost, using a DediProg flash programmer, Kovah was able to physically clip a connector cable onto the BIOS and download an implant that way.

“This can be used at a border crossing, in an Evil Maid attack, or other physical interdiction attacks,” he said. “If you have access, it takes about two minutes once you find the BIOS. The idea is to give this to the unskilled, give them a target, open the computer, connect and press start. It takes about 50 seconds to re-flash the chip.

“The point here is that even if you think you’re doing strong op-sec by using Tails or not carrying a hard drive, it doesn’t matter,” Kovah said. “Two minutes of physical access and you can own any OS.”

The situation isn’t entirely bleak. The researchers said that vendors do a solid job of patching vulnerabilities that are reported to them, but need to improve secure coding practices and put more effort into vulnerability mitigations.

“As time goes on and the cost of exploitation gets higher because more bugs get killed off and new techniques make it harder to exploit, I think that attacking BIOS will be more appealing because of the persistence on that system,” Kallenberg said.

Categories: Hacks, Malware, Vulnerabilities

Comments (5)

  1. Mike
    1

    Putting back on the motherboard a write-enable jumper it’s too difficult? A BIOS reflash doesn’t happen every other day and on a desktop machine putting another jumper is cheap. On a laptop maybe it’s more expensive, but i think that if they put some multimedi buttons, they could put a tiny switch.

    Besides, normal sdcards have a write protect tab, but newer microsd not.

    • aeza
      2

      google chromebooks do have a hardware switch for the hardware protection of a part of the flash chip that stores its firmware (which is to large extents open source based on coreboot)

  2. roastbeef
    3

    Mike,
    You missed the part about the chip clip. These guys are clipping onto the chip, so they could easily bypass a write-enable jumper. The solution to attacks like this is, no joke, epoxy around your flash chip. It makes your board nonrepairable if it dies, but it does prevent easy physical access to the firmware chip.

  3. Chris Ev ans
    4

    The write proctect jumper would at least protect against remote attacks where there was no physical access to the system.

  4. jon connell
    5

    Epoxy encapsulation yes – to cover not just the chip, but also all of the relevant data-write and enable lines into the chip – wherever they start and finish. Thermally conductive Epoxy too I would imagine – with the surface patterned to stop anyone drilling down through it to tap into your write lines. You would need to be at threat from a nation-state – or a bank – before you go to those lengths. This type of treatment is done with certain munitions already btw.

Comments are closed.