Hey kids, who wants to pwn a million BIOSes?

You think PC BIOSs are vulnerable?

ILO, DRAC and Co: These are the real security nightmares. God only knows what they get up to when the computer room is quiet. They have the ability to say checkpoint a running system, grab the contents of RAM and then shuffle that off elsewhere. I'm not saying they do, but they could. All that without the OS or hypervisor knowing what's happening. The security model for IPMI is laughable as well.

Remote access when a machine is buggered is handy and the monitoring is nice but they are a real problem for the properly tin foil hatted ones.

Even hard discs have pretty butch CPUs, memory and a fair bit of firmware on board these days. I believe someone booted a Linux kernel on one for a scary PoC and a laugh.

If you're using IPMI/DRAC then it needs to be on a separate out-of-band management network, and on a separate physical port (those machines which share the IPMI port with the host NIC are evil)

O RLY?

"We have overseen the updating of thousands of BIOSes, with not a single failure"

What the hell are these clowns smoking?!? Sure, if you have some version of "dual BIOS" or somesuch it IS a lot safer, but plenty of older motherboards don't - are they really insinuating nobody could possibly need to futz around with an EEPROM programmer and a removed BIOS chip thanks to a fortuitous power cut anymore just because it never happened to them...? Saying "most likely youl'll be just fine" is one thing - but this...

Hard TPM

If you can trust it. Once BIOS is rooted, can you trust anything emitted by the box?

Maybe, if you can install the TPM in a tamper resistant enclosure with traceable certificates at build time that can be used to establish a secure channel for query. Otherwise the box can just lie through its proverbial teeth.

In a nutshell...

it all boils down to the simple rule, "you cannot contain malware on a computer".

If you can run malware it is likely do be able to do anything. Our safeguards are just additional boundaries to make the job a bit harder, which is a good idea, but we shouldn't rely on it.

Unfortunately, recent developments have increased the problem. Systems have gone even more complex than they used to be, greatly increasing the chance of some remote code execution bug which might introduce malware into your system. Javascript may be comparatively easy to sandbox, however it's getting more and more common and browsers do not even enforce a single domain policy.

Plus there are some stupid ideas like UEFI creating hugely complex systems which are easy to be corrupted by malware, but hard to be replaced with something simple by the user.

computers are devices for watching cat videos archived on the internet. on no account should they be used for anything serious.

How about making it part of OS updates?

OS X updates regularly contain patches to the UEFI which are just flashed on reboot. Couldn't there be a way for WindowsUpdate and the update systems of the various Linux distros to do something similar?

Firmware or crapware?

I guess that firmware updates are the responsibility of the computer maker, rather than Microsoft, and would rely on the manufacturer's "value added" software being present.

Unfortunately, new machines come with so much crapware that the first thing a careful owner does is a clean install minus all the crapware.

Why??

It used to be that the BIOS just had some routines that you didn't use and read the first sector from secondary storage. The original PC had BASIC in there as well. Things are a bit more (unnecessarily in my opinion) complicated these days with the UEFI craze and more. If the BIOS were simple enough you wouldn't need to update it when Microsoft commands you.

Maybe the solution is to throw out all the cruft and go back to basics (sorry). Have the BIOS read the first record from secondary storage and check for the keyboard. If necessary save some parameters like which secondary storage device to get the "first record" and what to display on the "flash screen". Not much else is used when you boot a Linux system anyway.

The BIOS should be on ROM. The OS on sensitive computers should be on ROM. These are things people knew when ZX Spectrum's ruled the earth. Can you not remember?

I guess if you want any security these days you should do your own microprocessor system.

Don't blame the end-user organisations, blame the OEMs

It peeves me greatly when I buy a new-in-box, current-model device, and find the last firmware upgrade a good number of months in the past with bugger all during the useful life of the device.

The ultimate solution

Bring back the write protect jumper on ALL motherboards without exception.

If you cannot afford this, then maybe you shouldn't be manufacturing motherboards to begin with!

And the burnt-in spyware ?

Let's not forget the spyware - ahem sorry I mean security management facilities - burnt into most BIOSes. Yes the ones which can install their software into the guest OS, so that it can report back to the mothership and/or be remote wiped. I'm talking of course about Computrace. But there are others who have tried to join the market.

I can see the point of these - a bit like iLO and DRAC - but they are internet facing clients which in every other circumstances would be judged as infected bots.

Then you have the other issue with motherboard manufacturers. (cough)Giga(cough)byte(cough) actually discourages BIOS updates. The manual states:

"Since a BIOS update is an inherently risky procedure, it should not be done unless you are experiencing a bug. If you are not, then it should not be done."

So, what's a user to do when the mobo manufacturer makes a statement like that? Myself, I tend to ignore it. But the dual BIOS setup is nice as there is a backup BIOS that will reflash the main BIOS to get the system up and running on a failed or corrupt BIOS.