Researchers Demo BIOS Attack That Survives Disk Wipes 396
suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.
Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."
Fatal flaw: No BIOS reset (Score:5, Insightful)
If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.
If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.
Re:Requires root privileges or physical access (Score:2, Insightful)
Re:I guess it's official. (Score:5, Insightful)
We've had evil viruses around for a while. Anyone remember
W95.CIH [symantec.com]? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.
Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.
Re:No surprise (Score:4, Insightful)
Them Old Time Viruses ran with a lot less then what modern BIOS have, so I wouldn't focus to much on size to save us.
When the Virus initially runs it is probably in the Hard Drive to the RAM which can can fit a LOT of configurations to break into a lot of BIOS manufactures.
Re:Requires root privileges or physical access (Score:5, Insightful)
Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.
It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
Re:Fatal flaw: No BIOS reset (Score:5, Insightful)
This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.
An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.
Re:Requires root privileges or physical access (Score:5, Insightful)
(although I couldn't see how it can survive a re-flashing.)
Presumably reflashing the BIOS is normally performed by code within the BIOS. If you can corrupt the code in the BIOS you would have control over the flash programming, so could prevent the user from overwriting the infected blocks. I doubt this refers to physically removing the PROM and reflashing with an external programmer.
Re:Fatal flaw: No BIOS reset (Score:4, Insightful)
Probably most customers didn't care about the feature compared to what it cost to implement. I do wish this was standard though.
Re:Tsarkon Reports Obama bent on bankrupting USA (Score:3, Insightful)
Does anyone use EFI outside of Apple and IA64 based machines?
Microsoft don't support EFI, even tho Vista promised support for it... EFI is really only of benefit to run OSX or possibly Linux.
Re:Requires root privileges or physical access (Score:3, Insightful)
Because adding that useful safety feature might cost a WHOLE NICKLE!!
Similarly, I have seen a number of chipsets where the top and second from top erase blocks can be swapped just by pulling a logic line down (with a jumper for example). The idea is that even a screwed up re-flash of the boot block can be recovered easily just by setting a jumper.
Too bad I have NEVER seen a board that actually hooked that line up nor a BIOS image that had a second emergency boot sector programmed.
And the NSA hasn't been doing this for years? (Score:3, Insightful)
You're being watched . . .
Re:Fatal flaw: No BIOS reset (Score:3, Insightful)
Or a friggin' write-protect jumper on the flash, which is actually present in the PCB wiring of most motherboards but 99% of the time the manufacturer is too cheap to solder on the pins. Actually it's not the 1 cent manufacturing cost they save but the zillions of tech support calls from clueless users desperate to reflash their BIOS (usually for no good reason) but unable to locate the WP jumper with both hands and a map.
Hardware flash WP has been high on my list of mobo spec priorities for years but it's nearly impossible to find, since that's not an advertising bullet on the spec sheet. This is huge for systems that play different roles with interchangeable cold-swap system drives. If I'm running an untrusted sandbox system on a scratch drive and some malware silently infects the flash BIOS, that system is now untrustable even with a system drive swap, which totally sucks in testing/development labs. If I could just set a jumper and permanently write-protect the BIOS that problem would go away.
Exercise your warranty (Score:2, Insightful)
The fact that this was allowed to happen is clearly a defect in design, materials, or workmanship.
Re:Intel only? (Score:4, Insightful)
Better question is what typeof BIOS?
Your many hours of programming C/C++ betray you :-)
This depends on the BIOS of the machine (Score:2, Insightful)
It all depends on the BIOS of the machine, which is not supposed to be able to be accessed while operation of the OS, some of the newer ones might, but early 2000 we saw some machines coming out with BIOS that was not reachable by the OS, only when you booted from disk, that was the only time you could do a firmware upgrade, I blame the community for pushing to have everything "easy"...is it not easier to be able to update the BOIS, from inside the OS... I say no, it is not a task you should be doing so easily anyways, flashing a BIOS is last measure, and updating the BIOS, (especially if you can easily brick a computer) is not something to be done often.
Re:Intel only? (Score:2, Insightful)
I wonder how many mainboards are out there which have their Flash write protect disabled straight from the factory. Many people probably don't even know their system has one ("Jumper, whaddoyoumean jumper. I know that movie, but that's probably not it."). Shudder...
Re:super-pwned (Score:3, Insightful)
Every motherboard I've ever worked with either had a BIOS reset jumper or the CMOS battery was removable.
You've never worked on a laptop.