The ability to hack into the BIOS chip at the heart of any computer is no longer exclusive to the NSA or other three-letter services. Millions of machines contain key BIOS vulnerabilities that allow anyone with mediocre hacking skills to gain control of a system secretly, according to two researchers.
The revelation comes two years after the NSA tools exploded and they surprised everyone in the way they can infect the BIOS firmware with malicious implants.
It makes BIOS boot on a computer and helps to load the operating system. With infected this basic software, which works before loading antivirus and other security products, is virtually invisible and spies can find space to do as they want. They can say to plant malicious software that remains alive and unnoticed even if it is formatted on the computer's operating system.
BIOS-hacking to date has been largely a field of advanced hackers like those of the NSA. But researchers Xeno Kovah and Corey Kallenberg showed a PoC at the CanSecWest conference in Vancouver showing how they could remotely infect the BIOS of multiple systems using a series of new vulnerabilities that took them just a few hours to reveal them. They also found a way to grant high-level system privileges to BIOS malware to undermine the security of specialized operating systems, such as the Tails operating system used by journalists and activists to handle sensitive data.
Although most BIOS have protection to prevent unauthorized modifications, researchers have been able to bypass them by reflashing the BIOS by implanting their malicious code.
Kovah and Kallenberg recently left MITRE, a government contractor that conducts research for the Department of Defense and other federal agencies, to start LegbaCore, a consulting firm security firmware. They note that the recent discovery of a firmware-hacking tool by Kaspersky Lab researchers makes it clear that firmware hacking like their BIOS demo is something the security community should make an immediate priority.
Because many BIOSes use the same code, they were able to reveal vulnerabilities in 80 percent of them computers που εξέτασαν, όπως συστήματα της Dell, της Lenovo και της HP. Τα τρωτά σημεία, ήταν πολύ εύκολο να ανακαλυφθούν καθώς έγραψαν ένα script αυτοματοποιώντας την διαδικασία. Τελικά σταμάτησαν την καταmeasurement vulnerabilities because they discovered that there were too many.
An attacker could potentially compromise the BIOS in two ways, through remote exploitation by the delivery of code by e-mail, phishing or some other method, or through physical access to the system. In this case, the researchers found that if they had physical access to a system they could infect the BIOS on certain machines in just two minutes. This shows how fast and how easy it would be, for example, for an employee of a service that has physical access to systems to endanger the entire service-company.
Το malware τους, ονομάστηκε LightEater, και χρησιμοποιεί τα τρωτά σημεία για να κάνει hijack τη λειτουργία του συστήματος managements to gain elevated privileges in the system.
System management mode, or SMM, is the operating mode of Intel's processors that use the firmware to perform certain features with high-level system privileges that even outweigh the administrator privileges, says Kovah.
Using this feature, they can rewrite the contents of the BIOS chip to install their own implant that gives them a persistent and invisible access. From there, they can install root kits and steal passwords and other data from the system.
But more importantly, SMM gives their malware the ability to read all the data and code that appears in the machine's memory. This allowed their malware to subvert any computer running the Tails privacy operating system. and journalist Glenn Greenwald use Tails to manage NSA documents leaked by the former. By reading the data in memory, hackers can steal a Tails user's encryption key and read all the encrypted data. Tails runs from a secure unit flash USB or some other removable media, so in theory it cannot be affected by viruses or other malware that can infect the computer. It runs in the computer's memory, and when the operating system shuts down, Tails clears the RAM to erase any traces of its activity. But because the LightEater malware uses the system management function to read the contents of memory, it can grab data from memory and store it in a safe place before Tails deletes it.
Such an attack shows that the operating system chosen by Edward Snowden to protect himself can not really protect him from the NSA or anyone else performing an attack with LightEater.
