Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

LightEater Malware Attack Places Millions of Unpatched BIOSes At Risk 83

Mark Wilson writes Two minutes is all it takes to completely destroy a computer. In a presentation entitled 'How many million BIOSes would you like to infect?' at security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments. The attack could be used to render a computer unusable, but it could also be used to steal passwords and intercept encrypted data. The problem affects motherboards from companies including Gigabyte, Acer, MSI, HP and Asus. It is exacerbated by manufactures reusing code across multiple UEFI BIOSes and places home users, businesses and governments at risk.
This discussion has been archived. No new comments can be posted.

LightEater Malware Attack Places Millions of Unpatched BIOSes At Risk

Comments Filter:
  • Hardware is trusted (Score:3, Interesting)

    by Anonymous Coward on Sunday March 22, 2015 @05:15AM (#49312365)
    This was expected. A PC has many devices ready to accept new firmware at any moment. All you need is administrator access and you can start uploading new code. BIOS, HDD, DVD, even CPU microcode updates. Previously not that many have bothered, as it has been far more simple to just use some low-hanging Windows exploit. Now that Windows security has improved, blackhats have to up their game.
    • by Anonymous Coward

      To be fair, people have been exploiting hardware for decades - this isn't new, though I suppose it's new-ish (less then a decade?) for casual black hats.

      56k modem exploits back in the day were kind of useful.

    • by aaaaaaargh! ( 1150173 ) on Sunday March 22, 2015 @06:04AM (#49312457)

      It would be easy to prevent such attacks by requiring a physical switch to make any changes to the BIOS possible. But that would give power to the end users instead of big industry, and we cannot have that, can we.

      • by DarkOx ( 621550 ) on Sunday March 22, 2015 @06:14AM (#49312475) Journal

        It would be easy to prevent such attacks by KISS as well. Sticking with something a lot more like BIOS instead of a multi-Megabyte EFI mess.

        • by AmiMoJo ( 196126 ) *

          UEFI is much better than the old BIOS system. It runs ROM code from PCI/PCI-e devices in a VM, for example. While Secureboot worries a lot of people, as long as the option to load your own keys exists it's a nice security enhancement. It boots a lot faster too, due in part to ditching a lot of legacy crap that was probably full of security holes too.

          • by DarkOx ( 621550 ) on Sunday March 22, 2015 @07:35AM (#49312629) Journal

            Not sold. Sticking with something like BIOS does not mean sticking with BIOS. Its time to drop the legacy support, sure. Sticking with a small amount of boot code to fire up the storage controller and jump to boot loader, set some memory timings etc is going to more secure than a massive interactive application that UEFI is.

            Fewer inputs mean fewer inputs to sanitize and less opportunity to screw it up.

            • by Kjella ( 173770 ) on Sunday March 22, 2015 @12:52PM (#49314021) Homepage

              I think UEFI has two different tasks confused. One is to boot my OS, which should just involve pointing it to the right storage device and loading X bytes into memory. The other is to provide a system configuration environment where I can boot and other hardware settings and there I want a rich environment. I want to be able to use my USB mouse and Bluetooth keyboard in a GUI, wired and wireless drivers for PXE boot, storage and RAID drivers, you name it. Basically it is a little OS in itself, running off motherboard firmware.

              Now I have the impressions it's doing all this loading of a micro-OS with complex drivers only to finally hand over control to the real OS. Why? Maybe the OS wants to run a newer and better Bluetooth driver and now it can't because UEFI is running an old version. And if you do update the UEFI driver and break shit, you also broke your boot configuration. Just do the minimum requires to get the boot image, load it into memory and hand over control to the OS then get out of the way. If the boot fails, then you can launch the full configuration environment.

          • by sjames ( 1099 )

            I would be less worried about Secureboot if it was absolutely mandated to allow a user key and allow disabling. Alas, it hasn't been all that long and the one mandate out there (from MS) is now gone. It's interesting that it is supposed to be for the owner's benefit but typically doesn't offer a simple way for the user to bless a bootloader or OS nor does it offer a boot anyway option. Almost as if the benefit is meant for someone else.

            Perhaps the best approach would have been for the firmware to be just a

        • Somehow I always get these two mixed up.

          http://www.urbandictionary.com... [urbandictionary.com]

        • by Anonymous Coward

          It would be easy to prevent such attacks by KISS as well. Sticking with something a lot more like BIOS instead of a multi-Megabyte EFI mess.

          In other words avoiding all that systemd embodies and assimilates.

      • by Jesus_666 ( 702802 ) on Sunday March 22, 2015 @08:49AM (#49312933)
        It'd be nice if the next iteration of EFI had a more robust upgrade security design.

        Something like this: Firmware upgrades are not possible from inside the OS. At all. Instead there's a switch on the mainboard that is only accessible when the computer has been physically opened. When that switch is on, EFI will refuse to boot any OS and all onboard SATA/SCSI controllers are physically disabled. EFI will scan every USB port* for a FAT32-formatted mass storage device containing a file with a certain filename, which is then displayed for your approval, checked and installed. While the switch is off, changing the firmware should be prevented in hardware, such as by detaching a certain line required to write to the flash chip. (Settings should be stored on an unprotected chip and can be changed while the computer is bootable.)

        You're in a corporate setting and need to update 16.000 identical desktop computers all at once? Make sure the computers have an enterprise-ready mainboard that can pull the update from the network (e.g. using something similar to BOOTP). You'll still have to toggle that switch and confirm the prompt. That's as convenient as it should get; after all, if there is any chance that the firmware is modified while an OS is loaded, any successful attack on the OS leaves your firmware in a potentially compromised state.


        * Yeah, I know, USB also has infectable firmware. Unfortunately, I don't know of a reasonable mass storage standard that doesn't. And making people physically swap PROM chips won't fly.
        • by Lumpy ( 12016 ) on Sunday March 22, 2015 @09:03AM (#49313017) Homepage

          Most older server motherboards had this. you had to install a jumper to enable write for Bios upgrades. Problem is the first thing you did as a sysadmin is install that jumper and leave it there.

          • Most of the boards I am familiar with wouldn't allow a full boot if the jumper was enabled to flash. The nice thing was a recovery option where you could rename a bios extension, and it would load it automatically from the FDD. But as far as I know, it would stop the boot process if you left either setting jumped.

        • To allow us to hack your system, so don't change UEFI/EFI.

        • I would also settle for something that several of my (way old) Compaq servers had ... a second BIOS, SoftPAQ screw up your servers BIOS? Set a jump and boot from the factory fresh second BIOS (then re-flash the primary BIOS with a known good copy.) In modern systems just leave the default BIOS upgradeable (or a least require a PIN to update / trusted CA cert for enterprise deployments) and have a hardware button inside that can write the v1.0 BIOS code over the current chip. In this example the v1.0 BIOS
        • It'd be nice if the next iteration of EFI had a more robust upgrade security design.

          Something like this: Firmware upgrades are not possible from inside the OS. At all. Instead there's a switch on the mainboard that is only accessible when the computer has been physically opened. When that switch is on, EFI will refuse to boot any OS and all onboard SATA/SCSI controllers are physically disabled. EFI will scan every USB port* for a FAT32-formatted mass storage device containing a file with a certain filename, which is then displayed for your approval, checked and installed. While the switch is off, changing the firmware should be prevented in hardware, such as by detaching a certain line required to write to the flash chip. (Settings should be stored on an unprotected chip and can be changed while the computer is bootable.)

          You're in a corporate setting and need to update 16.000 identical desktop computers all at once? Make sure the computers have an enterprise-ready mainboard that can pull the update from the network (e.g. using something similar to BOOTP). You'll still have to toggle that switch and confirm the prompt. That's as convenient as it should get; after all, if there is any chance that the firmware is modified while an OS is loaded, any successful attack on the OS leaves your firmware in a potentially compromised state.

          * Yeah, I know, USB also has infectable firmware. Unfortunately, I don't know of a reasonable mass storage standard that doesn't. And making people physically swap PROM chips won't fly.

          Some, if not most mother boards have a slot or space for tpm chip. That tpm is a smart smart card chip that can store data, can encrypt data and act like a vault. Thats a few pennies and does not require an external pair of wires to a physical switch.
          TPM = Trusted Platform Module. ( http://en.wikipedia.org/wiki/T... [wikipedia.org] )

      • No, that would be useless. Just think it through a bit.

        OK, so you have a physical switch somewhere. Bear in mind the trend in laptop design is to try and eliminate ports and switches, so Jony Ive will throw a fit if you suggest such a thing and Apple won't do it. But let's pretend the PC makers all do.

        When does the user have to press this switch? When there's a BIOS update that needs to be applied.

        How do they know there's a BIOS update to be applied? Because a message pops up on their screen telling them th

      • by dog77 ( 1005249 )
        Or make the bios completely independant of the operating system, where it runs in its own flash and memory so that it can update itself, but can not be updated by an external component. Do the same for the kernel, security key and password manager, and virus protection. Trully isolate the sensitive components in the system.
      • by Mryll ( 48745 )

        I don't know if it's that sinister. IIRC it was pretty standard practice to require a motherboard jumper change to enable updating BIOS. I think it was abandoned out of simplicity because users found it to be a pain in the ass.

  • by LazLong ( 757 ) on Sunday March 22, 2015 @05:32AM (#49312391)

    Manufacturers/vendors don't write their own BIOSs; they license them from the likes of Phoenix Technologies and Insyde. These licensors don't write a completely new BIOS and bits for each licensee, let alone for each motherboard and their variants. As such, of course there is code reuse. Imagine the probable security issues there would be if each Vendor, let alone motherboard, received a BIOS that was written from scratch. QA would be a nightmare, as would the security of the code.

    The problem isn't the reuse of code. The problem is that the code that was reused had security vulnerabilities.

    • The problem isn't the reuse of code. The problem is that the code that was reused had security vulnerabilities.

      If you have physical access to the machine, it doesn't matter. You can rewrite the BIOS. And then, yes, it is an advantage to malware authors if there's only a couple of kinds of BIOS, because their malware only has to support those kinds. So yes, reuse of code becomes a "problem" for the rest of us if viewed from that perspective. It's not clear though that life would be any better for users overall if there were more kinds of BIOS. As bad as Phoenix, Award et al can be at making BIOS that works, I shudder

      • by LazLong ( 757 )

        If you have physical access to the machine, it doesn't matter. You can rewrite the BIOS. And then, yes, it is an advantage to malware authors if there's only a couple of kinds of BIOS, because their malware only has to support those kinds. So yes, reuse of code becomes a "problem" for the rest of us if viewed from that perspective. It's not clear though that life would be any better for users overall if there were more kinds of BIOS. As bad as Phoenix, Award et al can be at making BIOS that works, I shudder when I imagine vendors rolling their own. I'll live with the disease, thanks.

        Yeah, I agree with with regards to the physical access vector. I have a background doing IT in a DOD TS/SCI environment for three years and a TS environment for eight with DOE. Our (those of use who knew what we were doing) had the philosophy that if you had physical access to a system then you could pwn it. AT DOE it wasn't our duty to design systems with any consideration of the "insider threat" unless it was for the use of FORNATs. Systems for US use relied mostly upon personnel and site physical securit

  • Terrible "Article" (Score:5, Informative)

    by txoof ( 553270 ) on Sunday March 22, 2015 @06:10AM (#49312471) Homepage

    The "article" is three paragraphs and a few quotes full of FUD. There's no real information in there; it contains no good suggestions as to how to check for or deal with bios infections. It takes three clicks to get to a site that actually has some of the research, but that's just a static page listing conference topics. Don't waste another minute on this nonsense.

  • by Thor Ablestar ( 321949 ) on Sunday March 22, 2015 @06:38AM (#49312525)

    Soviet hackers have known something VERY similar for some time:
      https://xakep.ru/2011/12/26/58... [xakep.ru] (In Russian but you can try Google translation).

  • So you need admin and be able to install a dodgy kernel module to trash the machine. Then again, if you got that far, a 2lb hammer would suffice without needing to know anything about computers/kernels/modules.
    • Problem is NOT the trashed computer - you can simply buy a new one. Problem is that the 3-letter agencies can use this mechanism to covertly collect information about YOU, which may possibly land you in GULAG. And it seems it's quite difficult to detect this leakage.

      • by Lumpy ( 12016 )

        No it's trivial to detect the leakage. the packets have to go over the lan... Or are they reconfiguring the chips to become a quantum entangled radio?

  • Ironically (Score:1, Interesting)

    by Anonymous Coward

    The one company that got suckered into doing Superfish is also pretty much the one company that has an immune UEFI: Lenovo.

    Lenovo system x development actually writes their own firmware rather than going to AMI or someone. They also take directions from a very strict security team that has made them harden against this class of attack for years now (it wasn't a live vulnerability, but the general attack vector has been theorized for a long time).

    Of course, this is the system x team specifically (Servers th

  • Better link (Score:5, Informative)

    by Psychotria ( 953670 ) on Sunday March 22, 2015 @08:52AM (#49312961)

    http://conference.hitb.org/hit... [hitb.org]

    Better apart from being a damn slideshow

    • Bah to that. I prefer to have stories filtered through at least two poorly informed sources and then commented on by the clueless masses.
  • Seeing how the the article is so dense with real content and references, what makes this different from CIH http://en.wikipedia.org/wiki/CIH_computer_virus [wikipedia.org] ?

    This infection was sometimes a real bitch to fix as you had to hunt for the exact bios for the device (which wasn't an easy task), remove the eeprom and flash it. An real PITA and one that Joe Sixpack couldn't fix. A real nasty infection.

    • I have repaired a CIH long time ago. I installed an UV EPROM instead of Flash. There was a problem: Each time the computer booted up, it checked the saved config, reported an error and rebuilt the config. It took time but at least it worked. I believe the modern config is too big for this hack.

  • physical access = game over. when this can be spread remotely, then I'll start freaking out.

  • Has anyone gotten a hold of a complete list of the manfacturers/vendors whose products are affected by this? The way this has been worded there are more than the five mentioned in the summary text. Have products from any vendors been found to be "safe". (At least, so far?) And what versions of BIOS have been found to be vulnerable?

  • Maybe now people can have *informed* opinions? Slides here: http://legbacore.com/Research.... [legbacore.com]

You know you've landed gear-up when it takes full power to taxi.

Working...