Research Into BIOS Attacks Underscores Their Danger
For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior.
The anomalies ranged from system instability, to “bricked” USB sticks and data seemingly modified on the fly, according to online posts. Ruiu, who organizes a number of well-attended security conferences including the current PacSec conference in Tokyo, believes the issues are due to malware infecting the low-level system software, or BIOS, on the machine and has provided hard drive images to other researchers. So far, no one has confirmed the issues.
“I lost another one yesterday confirming that’s simply plugging in a USB device from an infected system into a clean one is sufficient to infect,” he wrote on Google+ in late October. “This was on a BSD system, so this is definitely not a Windows issue. And it’s a low level issue, I didn’t even mount the volume and it was infected.” Ruiu has not yet responded to requests for comment.
While security experts continue to debate the existence of BadBIOS, no one denies that malware that infects the basic embedded code on computers is a possibility. A number of researchers have, in the past, demonstrated the ability to infect various low level components of computer systems with custom code. In 1998, the CIH, or Chernobyl, virus infected Windows 98 systems and attempted to reflash the BIOS, the basic input/output system, on vulnerabile motherboards. Since then, only a smattering of researchers and attackers have focused on attempting to compromise the low-level system components: In 2006, for example, a researcher demonstrated ways that the Advanced Configuration and Power Interface (ACPI) on newer motherboards could be used as a high-level language to infect the BIOS.
Whether BadBIOS is the natural extension of that evolution is still a question, says Oded Horovitz,CEO of PrivateCore, a startup focusing on data and hardware integrity.
“It’s anywhere from an odd reality to a myth,” Horovitz says. “Clearly, the concept of the threats circulating around is similar to BadBIOS–re-flashing the firmware and infecting these devices.”
Last year, Jonathan Brossard, a security research engineer with consultancy Toucan Systems, demonstrated that a collection of open-source software and purpose-built code could be used to infect a system with hard-to-detect code that is very difficult to remove.
The attack platform, called Rakshasa, infects the system’s BIOS, the code that first runs on any computer, but also other firmware on the device, including the code used to start up a computer, to make the code nearly impossible to eradicate from the system. In fact, the code is so difficult to remove that Brossard recommends that someone that suspects BIOS malware on their system simply toss their computer and buy a new one.
“The whole concept of such malware is that, if you cannot trust your BIOS, you cannot trust your operating system, and if you cannot trust your operating system, then you cannot trust any calculations or anything you do on the system,” Brossard says.
Researchers and attackers focus on BIOS and other firmware because it is the first code to run, is hard to change and changes are difficult to detect.
[Researchers expect to release proofs-of-concept at Black Hat that show how malware can infect BIOS, persist past updates, and fool the TPM into thinking everything’s fine. See BIOS Bummer: New Malware Can Bypass BIOS Security.]
Erecting defenses to firmware-level attacks is difficult, even on systems with the Trusted Platform Module, cryptographic hardware designed to allow a system to check and attest to its integrity. In a presentation at the Black Hat Conference in July, three researchers from Mitre showed that the access controls that protect BIOS could be circumvented.
A major part of the issue is that the developers who write code for BIOS, firmware, and embedded devices are generally not practiced in writing secure code, says Robert Graham, CEO of security consultancy Errata Security. Many of the methods, such as the Secure Development Lifecycle, that have made code more secure in the operating-system and PC-application world have not yet become standard practice in the embedded device and firmware community.
“The people who write code for embedded devices write really bad code,” he says. “You look at drivers or the firmware, there is none of the modern security practices.”
That does not mean that an attack like BadBIOS is real, he says. Despite the fact that an attack such as BadBIOS is feasible, it could easily be some strange hardware issues, Graham adds.
On the other hand, it could be that Ruiu has discovered an interesting attack, he says. While the scale of the campaign seems impractical because of the number of different hardware motherboards that would require custom code, dedicated attackers could accomplish such a feat.
“One thing that could be happening here that some virus has been doing this for a number of years and we never noticed,” he says. “Dragos could simply be noticing something that other people have overlooked.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.