New Intel Firmware Boot Verification Bypass Enables Low-Level Backdoors (csoonline.com) 43
itwbennett writes: At the Hack in the Box conference in Amsterdam this week, researchers Peter Bosch and Trammell Hudson presented a new attack against the Boot Guard feature of Intel's reference UEFI implementation, known as Tianocore. The attack, which can give an attacker full, persistent access, involves replacing a PC's SPI flash chip with one that contains rogue code, reports Lucian Constantin for CSO. "Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information," writes Constantin. Intel has patches available for Tianocore, but as we all remember from the Meltdown and Spectre vulnerabilities, distributing UEFI patches isn't an easy process.
SPI flash chip? (Score:2)
What if they use some other interface to connect the flash that the BIOS is on? Can you still use this attack?
Lames. That's as dumb as when people were flashing Xbox BIOS and it was called a "TSOP reflash".
Re: (Score:2)
What if they use some other interface to connect the flash that the BIOS is on? Can you still use this attack?
No, then the CPU won't boot.
Because nobody is using parallel, LPC, or FWH interfaces to the BIOS flash? SPI is simply the cheapest option, it's not the only or best.
Re: (Score:2)
SPI flash chips(in the package types commonly sold) have the advantage(to the attacker or the tinkerer, and to the OEM and cost-conscious customer) of being a discrete part that's pretty trivial to swap; and sufficiently standardized that changing vendors or capacities(up to a point; not going to replace eMMC or SATA DoM; but if you nee
Re: (Score:2)
"TSOP reflash"? That one is special! Could have called is "Epoxy reflash" or "Copper reflash". Also, any halfway competent security expert knows that a competent attacker with physical access has usually won.
Save it for the draconian 'DRM' (Score:1)
We may need this hack to deal with the "brave new world" we are being monstered into.
bullshit (Score:4, Informative)
Re:bullshit (Score:4, Interesting)
heck in this day and age you don't even need to touch a PC, just have physical access to office to put in little camera to watch the screen, microphone for phone calls, etc. Just sub for the guy that changes light bulbs or works on HVAC... or vacuums and empties wastebaskets after hours. how about slapping fake access point or smoke detector on ceiling, most people don't even pay attention to that stuff.
Re: (Score:2)
You're living in 1980's movies (Wall Street). Military corporations and major banks do background checks on employees of outsourced infrastructure maintenance companies.
Re: (Score:2)
Re: (Score:2)
Casinos don't. Ask me how I know.
Re: (Score:1)
Re: (Score:2)
I don't work for a casino. I'm an electrical/data contractor. I run the power, category wire, and fiber. And also terminate it all. I basically have free reign when I'm there.
Re: (Score:2)
you are living with your head up your ass if you imagine the illegal aliens these cleaning companies in the major cities employ really had a proper background check. just like they didn't have their citizenship checked when their amigoes at the DMV gave them a drivers license.
Re: (Score:2)
Re: (Score:2)
The entire point of firmware boot verification is to prevent exactly what you describe.
It is hardware that protects you from the software versions of those attacks.
Not the hardware versions. Which they can install if they have enough access to do this.
Re: (Score:1)
How would that prevent a hardware key logger inserted between the keyboard and the PC (or inside the keyboard)
Or a 'smoke detector' that can see over your shoulder?
Given what the after hours cleaning people get paid, it wouldn't be that expensive to get one of them to let you borrow his jumpsuit and cover his shift for a night.
Re: (Score:2)
People also tend to forget, when you connect your computer to the internet, the entire internet becomes a part of your hardware system. Simple rule of thumb, want it secure, do not connect it to the internet, internal network only. There is no reason internal work computers need to have anything at all to do with external communications computers, entirely separate networks and entirely separate devices.
Some companies do need a bridge between the two, but that bridge should be a separate and specific system
Re: (Score:2)
Easy. Go back to the dumb terminal days. Hard to plug a flash drive into that 3270 terminal.
Re: (Score:2)
Re: (Score:1)
So nobody can get past security, ask the cleaner, take an elevator to the "physically open your machine" part of the building.
Why risk the network seeing "exfiltrate information" attempts when the person can walk back in a week later and collect the data?
The huge firewall detected nothing
Re: (Score:2)
doesnt stop a laptop CH341A and a chip clip.
Stupid (Score:3)
Clearly this is dumb.
I discovered a vulnerability on Intel machines this morning. If I have physical access to a machine and have a USB thumb drive, by issuing the copy command I can easily transfer files from the hard disk to the thumb drive!
Talking to the uninformed media this morning, I said "Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information."
Re: (Score:2)
I said "Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information."
Funny, that's exactly what the guy with the wrench said!
Re: (Score:2)
Great TAO attack (Score:4, Interesting)
This is an ideal Tailor Access Operations [wikipedia.org] attack because all you have to do is intercept the computer before it's delivered and reprogram a couple chips. I'm sure the NSA has used this attack already and because it requires physical access nobody is making a big fuss to push out the fix.