The ability to hack into the BIOS chip at the heart of any computer is no longer exclusive to the NSA or other three-letter services. Millions of machines contain key BIOS vulnerabilities that allow anyone with mediocre hacking skills to gain control of a system secretly, according to two researchers.
The revelation comes two years after the NSA tools exploded and they surprised everyone in the way they can infect the BIOS firmware with malicious implants.
It makes BIOS boot on a computer and helps to load the operating system. With infected this basic software, which works before loading antivirus and other security products, is virtually invisible and spies can find space to do as they want. They can say to plant malicious software that remains alive and unnoticed even if it is formatted on the computer's operating system.
BIOS-hacking until now has largely been the domain of advanced hackers like those of the NSA. But researchers Xeno Kovah and Corey Kallenberg presented a PoC at congress CanSecWest in Vancouver, showing how they could remotely infect the BIOS of multiple systems using a series of new vulnerabilities that took them just a few hours to uncover. They also found a way to grant high-level system privileges to the BIOS malware to compromise the security of specialized operating systems, such as the Tails operating system used by journalists and activists to handle sensitive data.
Although most BIOS have protection to prevent unauthorized modifications, researchers have been able to bypass them by reflashing the BIOS by implanting their malicious code.
Kovah and Kallenberg recently left MITRE, a government contractor that conducts research for the Department of Defense and other federal agencies, to start LegbaCore, a firmware security consultancy. They note that the recent discovery of a firmware-hacking tool by its researchers Kaspersky Lab makes it clear that firmware hacking like their BIOS demo is something the security community should make an immediate priority.
Επειδή πολλά BIOS χρησιμοποιούν τον ίδιο κώδικα, ήταν σε θέση να αποκαλύψουν τρωτά σημεία στο 80 τοις εκατό των υπολογιστών που εξέτασαν, όπως συστήματα της Dell, της Lenovo και της HP. Τα τρωτά σημεία, ήταν πολύ εύκολο να ανακαλυφθούν καθώς έγραψαν ένα script αυτοματοποιώντας την διαδικασία. Τελικά σταμάτησαν την καταμέτρηση ευπαθειών γιατί ανακάλυψαν ότι υπήρχαν πάρα πολλά.
An attacker could potentially compromise the BIOS in two ways, through remote exploitation by the delivery of code by e-mail, phishing or some other method, or through physical access to the system. In this case, the researchers found that if they had physical access to a system they could infect the BIOS on certain machines in just two minutes. This shows how fast and how easy it would be, for example, for an employee of a service that has physical access to systems to endanger the entire service-company.
Their malware, named LightEater, uses vulnerabilities to do hijack the mode του συστήματος διαχείρισης για να κερδίσει αυξημένα προνόμια στο σύστημα.
System management mode, or SMM, is the operating mode of Intel's processors that use the firmware to perform certain features with high-level system privileges that even outweigh the administrator privileges, says Kovah.
Using this feature, they can rewrite the contents of the BIOS chip to install their own implant that gives them a persistent and invisible access. From there, they can install root kits and steal passwords and other data from the system.
But most importantly, the SMM gives their malware to read all the data and the code that is displayed in the machine's memory. This allows their malware to overturn any computer using the Tails privacy system. O and journalist Glenn Greenwald use the Tails to handle NSA documents leaked by the first. By reading the data in memory, hackers can steal the encryption key of a Tails user and read all the encrypted data. Tails runs from a secure USB flash drive or other removable media, so in theory it can not be affected by viruses or other malicious software that can infect the computer. It works in the computer memory and when the operating system shuts down, Tails deletes the RAM to clear any traces of its activity. However, because LightEater malware uses the system management feature to read the contents of memory, it can grab data from the memory and store it in a safe place before the Tails delete them.
Such an attack shows that the operating system chosen by Edward Snowden to protect himself can not really protect him from the NSA or anyone else performing an attack with LightEater.
