Security Industry Incapable of Finding Firmware Attackers

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

Least interest

[i kan reed]

The thing is, while these are the hardest to fix and address of attacks, they're among the least useful for attackers. You can't spam people from BIOS. You can't really keylog and transmit over TCP from BIOS.

The operating system is as useful to attackers as it is to us other programmers.

Re:

[flyingfsck]

Wrong. All an infected BIOS call needs to do is launch a process that will keep running and do its damndest when the system is up.

Re:

[K. S. Kyosuke]

The problem is, firmware is *tiny*. There is only so much it can be capable of. No matter how much ingenuity the attackers will put into its programming, the attack won't be able to survive aggressive threat mitigation actions such as airgapping the computer. Even recording and monitoring all the incoming and outgoing network traffic and using the computer in a sufficiently restricted way would at least tell you if something is going on. It's like with submarines, they're only stealthy until they pump out a

Re:

[cheater512]

Have you seen newer motherboards? They have 16mb+ of flash for the BIOS.
Oodles of room to do fun stuff in.

Re:Least interest

[icebike]

Have you seen newer motherboards? They have 16mb+ of flash for the BIOS.
Oodles of room to do fun stuff in.

And they are all infested with UEFI, the worst malware foisted upon the general public in decades.

Re:

[spire3661]

Modern motherboards (even cheap ones) can access the filesystem in BIOS.

Re:

[K. S. Kyosuke]

That's not what I had in mind. You can't cram a strong AI system into it. Without that, the machine would have to be fully connected for the exploit to be adaptive to any possible attack mitigation technique. On its own, it can't perform miracles like adapting to software systems that didn't exist when the firmware was written (for example, a new file system, since you're mentioning that - or whole kernels, for that matter). Not without visibly breaking something.

Re:

[The123king]

And? Malware get depreciated quicker than any other type of software, due to exploited getting found and fixed. Obviously any malware targeted at firmware has an air or permanence to it, but even that will get depreciated when the hardware is replaced or firmware upgraded.

Also worth noting is it depends on the particular device being targeted. For example, the firmware in the SCADA systems Stuxnet targeted is completely reliant on the PC connected to it. Disable the PC and you effectively disable the malwa

Re:

[Anonymous Coward]

Yes you can.

Especially if the system is attached to a network with a DHCP server.

UEFI is equivalent to an OS, and is written the same way.

BIOS is a little bit more limited - but not much. You can include a DHCP client to get a local IP number.

Re:

[Jeremiah Cornelius]

Big problem with BIOS is that it is board/chipset-specific. And very tiny. Not un-doable, but not scalable.

These were some of the BIOS constraints that EFI/UEFI were created to surpass.

Re:Least interest

[EdZ]

What you CAN do is exploit an otherwise secure OS so that you CAN do those things in spite of OS-level security methods.

I miss the days of needing a move a jumper in order to flash the system ROM. I've seen plenty of gaudy 'overlocking' boards with push-buttons on the motherboard itself for various esoteric functions. A toggle-switch for BIOS-write-enable would be a relatively cheap addition, and manufacturers can market the board with some extra security buzzwords.

Re:Least interest

[rtb61]

Which means basically when they start intercepting hardware between the manufacturer and the user, security becomes an impossible mind fuck. Once it all shifted to firmware and hardware hacks the security game is over. Parallel networks where the inside network is fully air gapped from outside networks and the building itself is secured from wireless communications. Basically all internet function are done on disposable net books, this more for typical businesses rather than internet business. Apparently Russian security has gone back to typewriters and hard copy for the most secure documents, actual physical penetration is required. With the NSA continuing to fuck around with security, how long will it be before banks go back to manual systems and internet banking becomes a memory.

Re:

[K. S. Kyosuke]

and internet banking becomes a memory.

That depends. No level of compromising your (general purpose) computer should be able to defeat the security of your manually operated hardware token/calculator.

Re:

[psydeshow]

and internet banking becomes a memory.

That depends. No level of compromising your (general purpose) computer should be able to defeat the security of your manually operated hardware token/calculator.

Attacker has control of my computer. I read a number off my MFA device and input it into the bank's form along with my username and password.

Now attacker has a banking session they can do whatever they want with. How has having a hardware token prevented them from attacking me?

Re:

[K. S. Kyosuke]

No, they can't. At most they would be able to, say, view your account balance etc., but the token can be (and most of the time is) used to authenticate any transaction based on its input values (how much to transfer, where, with what payment codes etc.).

Re:Least interest

[Anonymous Coward]

Nice try, but it runs in ring 0, so it can jump into the kernel anywhere it wants.

Re:

[some old guy]

Seconded. Hear, hear!

Re:

[andyhhp]

Nice try, but it runs in ring 0, so it can jump into the kernel anywhere it wants.

Worse than that after boot, the BIOS runs in System Management Mode, which is delberatly designed to be non-interceptable by the OS.

Re:

[Phreakiture]

The NSA implant known as SOUFLETROUGH allegedly uses SMM and is even referenced on the SMM page on Wikipedia [wikipedia.org].

Re:

[K. S. Kyosuke]

Well, that's what you get for still using a C-64. ;-)

Re:

[icebike]

The BIOS has bare back access to the hardware. Why cant it log the keyboard and dump it out the Ethernet? Why cant it access the ram directly?

The term you were looking for is "bare metal".
Bare back is something totally different.

Re:

[climb_no_fear]

Sorry, but "bare back access" was so titillating that it distracted me from finishing the rest of your post...

Then there are remte admin tools such as Intel AMT

[Ungrounded Lightning]

The BIOS has bare back access to the hardware. Why cant it log the keyboard and dump it out the Ethernet? Why cant it access the ram directly?

Built-in threats include more than just BIOS. At least one, and probably most, chip makers build in backdoors that do exactly what you describe, and much more. It's built right into the silicon, too.

Modern laptops and desktops come with remote administration tools built into the chips on the board. (The vendors tout this as a feature, simplifying administration of a

But you can and it's useful

[dutchwhizzman]

Most bioses now have a complete TCP/IP stack for things like ipmi. Keylogging only requires a few simple routines to do as well; plenty of room to implement that in current flash chips on main boards.

Hiding in firmware makes you resilient and virtually undetectable on the "normal storage". A rudimentary base to pull next stage software in that will "bootstrap" the full malware once the OS installed is all that is needed. The full malware can be fragmented and re-use existing binaries so it won't be detected. You need a trusted platform and guaranteed "safe" steps to be able to reasonably trust your computer and when firmware contains holes or malicious code, there are plenty of people that don't work for the NSA that can actually build a competent attack for that.

Re:

[Kremmy]

Most BIOSes + NICs have that little PXE booting stack hanging out in the option ROM. It's really not that farfetched by any means.

Re:

[mlts]

On some machines, they have out of band management features, even dedicated NICs for this purpose. Get full access to a BIOS, and the machine can easily have a functioning IP stack and be at the control of an attacker even if the machine has no OS present.

Another item would be a flashable BIOS like a security issue with some Apple keyboards. Nothing beats using the keyboard controller itself for a keylogger.

Re:

[BIOS4breakfast]

Actually most BIOS (legacy or UEFI) have a network stack of some sort in order to support PXE boot. Recall that the PoC BIOS malware Rakshasa (https://media.blackhat.com/bh-us-12/Briefings/Brossard/BH_US_12_Brossard_Backdoor_Hacking_Slides.pdf) used the open source SeaBIOS and iPXE network stacks to perform networking from the BIOS. And here's a talk where some McAfee and Intel folks talked about how keylogging can be done from UEFI thanks to function pointer hooking (http://intelstudios.edgesuite.net/idf/

Re:

[Kremmy]

The vast, vast majority of personal computer units with integrated LAN cards happen to have network boot capability built in. It's been there since before they were an integrated component, even. Intel and Realtek make most of the ethernet chipsets I see around, and they both use a pretty bog standard PXE network booting stack. BIOS hackers would be acutely aware of it, I wouldn't be surprised if that's been exploited in some strikingly silly manner and used for this kind of thing.

Re: Very wrong

[imperfect cloner]

That's exactly what Mebromi malware does. Its BIOS rootkit component restores infected Master Boot Record (MBR): http://www.webroot.com/blog/20... [webroot.com]

Re: Least interest

[imperfect cloner]

BIOS malware can install System Management Mode code that logs keystrokes. Please read: http://www.phrack.com/issues.h... [phrack.com] http://www.eecs.ucf.edu/~czou/... [ucf.edu]

So we should call it 'infirmware' ?

[scorp1us]

Because you know, if it isn't secure, then it's not firm.

Re:

[climb_no_fear]

.... then it's not firm.

No, it's too easy ...

write protect

[wkk2]

A good start would be a list of hardware vendors that sell equipment that have hardware jumpers or switches that write protect the BIOS and other flash devices.

Re:

[BIOS4breakfast]

While hobbiests who use custom motherboards are familiar with write protect jumpers, they are going the way of the dodo. They've been all but phased out on OEM laptops, and are going that way on desktops too.

The important write protects are whether the BIOS configures itself as locked or not after it's booted far enough to determine there are no BIOS updates pending. You can check if your BIOS is open or closed to attackers by running Copernicus [mitre.org] or Chipsec [github.com].

Duh, what should we do?

[DriveDog]

So... open source everything, that anyone can compile to executable. Then focus on obfuscated code, about the only avenue left for malicious code. It only takes one major manufacturer to publicly announce that "we're publishing our code so that it can be verified, unlike our competitors" for it to spread to the competitors.

Re:Duh, what should we do?

[jc42]

You know who reviews open source code seriously? Fucking nobody.

Oh, I dunno 'bout dat. I recall a few years ago, getting an informative email from one of djb's folks, telling me how to exploit an open-source program that I was using in the software behind a web site that I was responsible for. I ran their test, dug into the code and fixed the problem (and several similar problems in other parts of the code), and sent them a nice letter thanking them for their help. I also forwarded their email and my patches to the author of the program, but I didn't hear back from him.

This only fails to qualify as "seriously" if you dismiss all of academia as not serious. In reality, that's where you'll find most of the people who take security seriously. You don't much find them in "industry" (as the summary puts it), for management reasons that are well-understood by pretty much anyone who has ever tried to get security problems fixed in a corporate-management environment.

Re:

[Jeremiah Cornelius]

You know who reviews open source code seriously?

Fucking nobody.

What!? You call the NSA "fucking nobody"? Maybe nobody will fuck them, but that's different...

Re:

[BIOS4breakfast]

It only takes one major manufacturer to publicly announce that "we're publishing our code so that it can be verified, unlike our competitors" for it to spread to the competitors.

OEM1 releases full source
OEM2 fires all BIOS developers and leeches off OEM1
OEM1 has the privilege of maintaining a BIOS development workforce for the benefit of their competitors

Though maybe that would work as a feint to eventually put competitors at a disadvantage ;-)

Also, believe it or not, OEMs and places like AMI, Phoenix, etc do actually try to add features down at the firmware level that their competitors don't have, to differentiate themselves and hopefully get a few more sales. E.g. recall th

Re:

[Grishnakh]

Yep, that's why everyone just uses Windows now, since it's freely available thanks to Microsoft releasing the full source code in their Shared Source program. When that happened, other companies just took it and sold it as their own.

Oh wait, that never happened.

Re:

[gtall]

Nah, competitors will steal your code and put you out of business. And publishing your code is more or less meaningless unless there's a legion of qualified people willing to examine it. And why would they do that? What's in it for them? Aside from a few big FOSS projects (Linux, et. al.), the only people looking at your code are either miscreants, your competitors, or your country's competitors.

Joe Sixpack: I wanna buy a router for my XP machines.
Eve Clerk: Well, here's a Cisco router, it works well. And h

Use a jumper

[techno-vampire]

I can remember when there was a jumper on the motherboard that had to be shifted before it was possible to flash the firmware. If all motherboards had that, the only way an attacker could get malware into the BIOS (or whatever other firmware they wanted to target) would be by tricking the user into changing the jumper. Not only that, many of the users who'd be foolish enough to fall for that kind of trick wouldn't have the confidence to open up their box and play with the hardware. Not all, of course, but then, no security measure is 100% effective.

Re:

[scorp1us]

While I am not an expert, I don't believe that we're just talking about reflashing here. It is possible that the firmware relied on to perform operating system functions in exploited all the way back in user-space. Some program gets some arguments from somewhere that get passed on to the kernel level, the kernel then passes that to the hardware and voila, exploited.

Re:

[techno-vampire]

No, what you're thinking of is drivers. Firmware [wikipedia.org] is held in non-volatile memory and executed there so that it's ready to be used the moment the device is turned on, and so that it can't easily be modified.

Re:

[scorp1us]

And what do the drivers communicate with? The firmware.

Your normal device will provide a memory mapped structure to the device where values are read and stored. They use IOCTLs to command the hardware usually through interrupts. The Firmware has the corresponding data structure on its side. I'm not an expert but I have written a kernel driver or two, but not recently.

Re:

[techno-vampire]

And what do the drivers communicate with? The firmware.

Well yes, of course. However, drivers tend to be OS specific, and can be reloaded fairly easily if infected. TFA is talking about getting malware into the firmware, which has to be OS agnostic and is somewhat harder to disinfect.

Re:

[Sam Cornwell]

Yeah that's basically right. UEFI specifies the need for the storage of non-volatile variables for some configuration or metadata (which can be modified from admin userland as you said). All of the BIOSes I've seen have used the flash chip itself to store this data, therefore the chip must be modifiable and a jumper would not work with these designs. There are mechanisms that can be used to allow writability of certain regions of the chip, but often they are not used. Even when they are used, there are

Re:

[mlts]

I remember that as well. Yes, it is easier to just double-click a program and have it flash a BIOS... but it is nice to have security not just relying on 1-2 crypto signatures which might be compromised.

If not a hardware jumper, perhaps a dedicated mode in firmware where the machine needs rebooted to. Then a UEFI application can be run for the actual BIOS upgrade where it would display the would-be firmware's cryptographic hash (preferably both SHA-3 and MD5), check and display signatures, then either hav

They're not.

[IWannaBeAnAC]

They're never going to fix this. It isn't just a matter of publishing source code, it affects the hardware too. It needs hardware protection on the flash, for example, so that you can control, at a hardware level (eg by a button on the device) whether the flash is writable.

But by now, all of the manufacturers are so infiltrated by other agencies, the NSA, foreign governments, and business interests (having the user in control of their own security directly contradicts the aims of DRM, not to mention marketing companies); this all conspires against ever having any security over your own firmware.

Build it yourself is probably the best bet. And the nice thing is that this is becoming more practical. The biggest problem is that there is no way to verify the hardware at the chip level, but with careful design it is possible to get reasonably good security without 100% trust in all of the individual components.

But for the overwhelming majority of people, who are not motivated or able to build their own, their tech is doomed to be compromised. I don't think there is anything that can be done about that. It is a political issue, rather than technical. And in all "democracies" that I can think of, the political will is against it.

Re:

[Arker]

"Disabling flash writes isn't a viable solution, since that would stop important BIOS updates as well that protect against the same problems (and you don't want your system to persist its old BIOS, that's not a good way to go)."

Having a physical read-write switch does not prevent BIOS updates, you simply turn it off when you are going to do a legitimate upgrade, and then turn it back on afterwards. It just prevents BIOS updates from being installed stealthily from a distance.

Re:

[Cryptodd]

There are foundation technologies to address this - Intel Trusted Execution Technology (TXT) and Trusted Platform Modules (TPMs). You can take measurements with TXT and store them securely in TPMs. Attesting remotely will tell you whether or not you have a good/valid/trusted system that has good/valid/trusted measurements from the TPM. This is not a lost cause, and there are companies out there taking advantage of TXT & TPMs to establish trust. This can shrink the perimeter down to the CPU. If yo

Attacks on UEFI...

[Obfuscant]

Would that include "attacks" that allow OSs other than the officially state-approved and certificate-signed ones to be booted. Like that hacker-prone and highly illegal "Linux" thing I've been hearing about? I'm glad that researchers are protecting us against such flim-flammery and obviously dangerous stuff.

Re: SecureBOOT not secure

[Sam Cornwell]

You're conflating a lot of things.

-Secure boot is a UEFI protocol not a Windows 8 feature
-UEFI secure boot is part of Windows 8 secured boot architecture
-Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components
-OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
-Microsoft does not mandate or

Visibility

[maz2331]

There is really no way for any code running on top of another layer to verify that lower layer's integrity - it has to rely on what is reported and a malicious BIOS or UEFI layer can simply just lie to it. Hell, it's possible for a low-level hypervisor to run another, clean, BIOS/UEFI and simply virtualize every piece of hardware in the box. Likewise, it can block visibility of any traffic going in and out that it desires. This type of security has to happen at the network level instead - something outside of the device has to detect the suspicious traffic that such an attack must generate in order to be useful. That in turn requires that the networking gear has to be trustworthy and not itself owned by the attacker or have any backdoors installed at the factory (or chip maker, or etc etc).

Re:

[blueg3]

There is really no way for any code running on top of another layer to verify that lower layer's integrity - it has to rely on what is reported and a malicious BIOS or UEFI layer can simply just lie to it.

Theoretically, yes. Practically, it's often not that easy to "just lie to it". (So, in practice, it becomes an arms race of effort just like everything else.)

For example:

Hell, it's possible for a low-level hypervisor to run another, clean, BIOS/UEFI and simply virtualize every piece of hardware in the box.

That's easy to detect through timing attacks, it turns out. You would also have to be very careful to exactly replicate the behavior of the hardware you're virtualizing, or that's detectable, too.

something outside of the device has to detect the suspicious traffic that such an attack must generate in order to be useful

Now, talk about difficult problems! The easy part would be having trustworthy networking gear. The hard part would be that "detect the suspicious

Re:

[Cryptodd]

You can validate the system is in a known, good state at boot-time, but that does not apply at run-time. You can use Intel Trusted Execution Technology (TXT) to measure the system is in a known, good state and store those measurements in the Trusted Platform Module (TPM). When you attest remotely, if the whitelist values do not match, you do not admit the system into your infrastructure. This approach can take measurements up to the VM-layer (hardware/firmware/BIOS/hypervisor). There are solutions to att

OS is too hard also

[CloneRanger]

This is on the heels of an announcement by NIAP that common criteria evaluation of operating systems is too hard:
https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/GPOS%20Position%20Statement.pdf

incentives

[Chrisq]

t we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence.

I bet the NSA can give a lot of incentives to companies not to look for or remove firmware back-doors - or even to introduce them. This could be carrots (lucrative contracts or info on what overseas competition is doing) or sticks (not getting the government contract or the CIO's wife finding out what he said in those phone-calls to his secretary).

Re:

[gman003]

It doesn't even have to do anything sinister - just say "if you want , we need to be able to audit your source code". They find the security holes themselves, tell the vendor about one or two minor ones to hide their intentions, then use the flaws they didn't disclose to hack others. The vendor wouldn't see anything that makes the NSA look even remotely sinister. Best part is that the vendors who aim for US government contracts, particularly ones needing security audits, will be the ones aiming for other go

When are security companies going to get serious?

[oDDmON oUT]

When the kickbacks dry up.

When? Well, never.

[computational super]

When are they going to start taking security seriously? When consumers are willing to pay more money for more secure devices. So, never.

Re:

[Lumpy]

Why do I have to pay more? I suggest they make less obscene profits and lower executive wages to cover the cost of doing business.

Re:

[amorsen]

Can you point me to a signed firmware image which is in a known, good state? One that has been properly independently audited by someone who can be reasonably assumed to not be under the influence of the NSA?

When?

[ArhcAngel]

when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

As soon as someone with a powerful attorney and deep pockets gets hacked via this vector and sues the OEM into oblivion would be my guess.

There is no Binary choice

[WillAffleckUW]

You said they either find the firmware hackers or they don't.

You missed the "it's a feature, not a bug" solution.

Please go back to Logic School.

obvious answer is obvious

[Charliemopps]

When is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?

When the NSA stops paying them to ignore it.

The industry is full of shit.

[Lumpy]

they CAN deal with this. require a physical jumper on the device to be moved for firmware loading. all devices leave the factory blank and they flash their firmware in house when they arrive.

They dont want to do that, they want the 100,000 items to ship from china and never be touched again. Boo Hoo. man up and touch every item state side to protect your products integrity.

The CEO's bonus check would cover the required costs.

Comment on this story...

[sgt_doom]

Just a thought: Intel and MITRE are both Rockefeller companies (the majority share holders in both Apple and Intel were originally the Rockefeller family, by way of Laurence Rockefeller, and I've yet to see anything suggesting that has changed). And, the owners of the semiconductor company (Freescale Semiconductor) well-represented on that missing Malaysian MH 370 flight are the Blackstone Group and Carlyle Group (Blackstone Group began with seed money from David Rockefeller, and its co-founder, Peter G.

Hardware gap

[C18H27NO3]

At least one of the systems I've owned in the past required a jumper to be set before BIOS could be written to/flashed/modified.
I thought that was a boon and would certainly defeat any nefarious flashing. Something like that should be standard.

Chromebooks

[lprofile001]

Google tries to get security right for Chromebooks. A read-only portion of the firmware authenticates the read-write firmware. The read-write firmware must be signed by google. You must disassemble the machine to flash the read-only firmware.

I can tell you where they are

[Trogre]

I have seen some particularly nasty malware hidden in many BIOSes recently. The payload has the effect of preventing you from installing legitimate operating systems on your own computer without paying large amounts of money to an extortion operation.

So far I have traced the perpetrators as far as Redmond, WA.

I know where they are

[Trogre]

I have seen some particularly nasty malware hidden in many BIOSes recently. The payload has the effect of preventing you from installing legitimate operating systems on your own computer without first paying large amounts of money to a large extortion group.

Through my research I have managed to trace the perpetrators to Redmond, WA.