Researchers to CIOs: Patch your BIOS to avoid new attack

Millions of PCs could easily be infected by malware with highly privileged access to system memory, said researchers in Vancouver. The new attack targets the BIOS – a computing component that is rarely ever patched for security flaws, they said.

Xeno Kovah and Corey Kallenberg chose the CanSecWest conference to unveil LightEater, an attack that they said can even compromise operating systems that run from USB keys and aren’t stored on a computer’s main drive.

The attack implants malware into the BIOS, which is the firmware used during a computer’s boot process. It tells the computer what to do when it is first turned on. As such, it represents the ‘keys to the kingdom’ for an attacker, because it loads before any anti-malware software has a chance to protect the system. The attack specifically targets UEFI, a new kind of BIOS built on modular code and designed to be highly reused among all computer vendors.

The researchers targeted ‘incursion vulnerabilities’, which are flaws in the computer’s software enabling them to compromise the computer’s Systems Management Mode (SMM). SMM is a highly privileged operating mode used in Intel processors that can be used to carry out functions including reflashing firmware. By hijacking SMM, they can implant malicious functions in the BIOS.

“SMM is an OS-independent execution mode in the processor, where the BIOS chooses the code that will run in this mode, and then locks it down so that no one can thereafter read or write SMM’s RAM,” Kovah told IT World Canada. “But when SMM runs, it can read and write all physical memory on the system (meaning all applications that are currently in memory, all OS memory, and all hypervisor/VMM [virtual machine memory].”

This means that the BIOS malware is even more privileged than the hypervisors that control virtualized machines, Kovah added, meaning that an attacker that compromised the BIOS could compromise a cloud infrastructure.

Incursion vulnerabilities can be found programmatically, simply by running a computer script, and the pair found dozens of them in minutes.

Once a BIOs is compromised, it will run an attacker’s instructions every time it is switched on, allowing it to use the SMM to read everything in a computer’s memory. This has severe ramifications, even for supposedly secure operating systems, like TAILS, which runs from a USB key and doesn’t install itself on a computer at all.

The LightEater attack could be implemented remotely by anyone with a command line and administrative access. This means that conventional malware could be delivered via a drive-by download that would infect the system and then install the attack.

It could also be delivered via physical access to a computer. Someone who was able to gain direct access to the BIOS by opening a computer could install the attack in two minutes, said the pair. That obviously has ramifications for both law enforcement, and customs officials.

The Trusted Computing Group TCG architecture, released several years ago, was supposed to protect computers by using an untamperable Trusted Platform Module (TPM) to check the state of a machine when it boots. Unfortunately, Kovah said, the TCG architecture relies on the BIOS to store the data that would be used to verify the state of a system. That renders the architecture vulnerable to an attack like LightEater, he added.

Since then, Intel has created Boot Guard, a system that stores the verification data in a separate authenticated code mode (ACM). “Given that the ACM is digitally signed by Intel, and the CPU
hardware verifies the signature before it is executed, this becomes a much harder target to attack,” Kovah added. However, this was only implemented in Intel’s fourth generation Haswell architecture [PDF] , meaning that it was only available to vendors in the last couple of years.

“There was only very limited deployment of this technology by BIOS vendors in fourth generation systems, but it seems like they are talking about using it more seriously in more fifth generation systems (which were only released in late 2014,),” he said.

The attack is particularly worrying because few vendors patch their BIOSes, said the researchers, adding that they often adopt an ‘out of sight, out of mind’ approach. When they contacted vendors about the issue, some of them refused to believe that they were infected, while others stopped returning their mails.

“The top three PC vendors, Lenovo, HP, and Dell respectively, have done a reasonable job of handling our vulnerability disclosures over the past couple years, so they know what they need to do,” Kovah said.

“Other vendors have done an extremely poor job, both in communicating their acknowledgement/response, and in most cases never patching old machines, only sometimes fixing problems for new systems they release.”

The researchers said that they would make a name-and-shame list of vendors who were leaving their customers open to BIOS attacks.

CIOs should start checking the security of their computer firmware, and demanding BIOS patch capability from their patch management software vendors, the pair said. Kovah also pointed to the Copernicus project, a free tool for machines running Windows 7 and later. This tool, which must be obtained from MITRE through a direct request, checks to see if BIOSes in an organization are vulnerable, and if so whether they are infected, he said.

The duo did offer a little hope. They are working with Intel to create a commercial-grade SMM isolation that would protect systems from infected versions of the code, they said. They will then work with BIOS vendors to incorporate the technology into their systems, so that even if attackers break into the SMM, they couldn’t read or write memory arbitrarily. Machines could also then be used to detect attackers by measuring their activities, they concluded.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Danny Bradbury
Danny Bradbury
Danny Bradbury is a technology journalist with over 20 years' experience writing about security, software development, and networking.

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now