back to article Noobs can pwn world's most popular BIOSes in two minutes

Millions of flawed BIOSes can be infected using simple two-minute attacks that don't require technical skills and require only access to a PC to execute. Basic Input/Output Systems (BIOS) have been the target of much hacking research in recent years since low-level p0wnage can grant attackers the highest privileges, …

Silver badge

OS Warning

This is where someone with the necessary skills could do well with Linux - a nice little program to run that checks the BIOS version, compares with some friendly on-line database and reports back if you need an upgrade. Or does dmidecode already provide the information that just needs a parsing script and the friendly website?

4
6
Silver badge

Re: OS Warning

A BIOS is basically a Ring -1. It can intercept any verification and return good results.

14
1
Anonymous Coward

@Number6 - Re: OS Warning

Unfortunately Linux people have to fight with BIOS manufacturers who can't be arsed to follow the very specs they've developed.

3
1
Silver badge

Re: OS Warning

A BIOS is basically a Ring -1. It can intercept any verification and return good results.

I wasn't thinking of situations where it's already hacked, because such a BIOS can report good results by any means, even on the boot-up screens. It was more an informational thing for people to be aware that there is a BIOS update available, in the same way they get informed of other updates. I bet most people aren't even aware they can upgrade the BIOS anyway - how many of them ever go through the BIOS settings? (OK, I suspect a higher proportion of Linux users are probably aware.)

Once your BIOS is hacked, it can probably simulate being upgraded too, so you're into some sort of JTAG reprogramming to be sure.

0
0
Silver badge

Maybe the operating system shouldn't use the BIOS.

Then the running operating system wouldn't have vulnerabilities. The BIOS could be sent out to pasture and basically ignored.

Oh, wait, there is already an operating system that does much of this.

The other alternative is a BIOS that the OS vendor controls.

3
7
Silver badge

Re: Maybe the operating system shouldn't use the BIOS.

They have to if they want to support ACPI low power states. The OS has to have full knowledge of the hardware to avoid that - i.e. this is an option for Apple alone.

Even ignoring that, if the OS didn't use the BIOS at all if the OS can be made to alter the BIOS then it is game over next time you boot.

5
0

Re: Maybe the operating system shouldn't use the BIOS.

A reminder that Coreboot is a thing, for some machines. That's the only way to be sure.

0
0

This post has been deleted by its author

Anonymous Coward

Re: Maybe the operating system shouldn't use the BIOS.

> A reminder that Coreboot is a thing, for some machines. That's the only way to be sure.

Sure of what? Still shoves blobs of binary "video driver" and microcode and so on into the system... better, perhaps... if better is even a thing in this context... but are you sure you're sure?

...and that's before you start heading down recursive compiler trust rabbit holes and the like...

...and then there's the hardware itself of course... Intel openly admits it'll secretly bake whatever secret instructions it's secretly given into its consumer chips as long as it's adequately profitable... ...other designers?... ...and fabs?...

Who do you trust? Of what are you "sure"?

2
0
Bronze badge

Re: Maybe the operating system shouldn't use the BIOS.

@AC

Or even "Whom do you trust?".

4
1
Anonymous Coward

Re: Maybe the operating system shouldn't use the BIOS.

Without a BIOS of some sort, operating systems would need drivers to provide the missing API layer to the countless variants of motherboard hardware out there.

1
0
Silver badge

Re: Maybe the operating system shouldn't use the BIOS.

"Then the running operating system wouldn't have vulnerabilities."

It would still be vulnerable because there would still usually be a moron sitting in front of it. Anyone remember sheep.exe? Why don't virus writers use that kind of thing to spread these days, I'd probably still run it and I should know better :)

1
0

Re: Maybe the operating system shouldn't use the BIOS.

@ Primus Secundus Tertius

I trust neither of them.

0
0
Silver badge

Didn't PCs used to require switching a jumper to flash the BIOS?

Whatever happened to that? Too user unfriendly? Maybe we need to go back to those days, it isn't like a new BIOS comes out the second Tuesday of every month.

26
0

Re: Didn't PCs used to require switching a jumper to flash the BIOS?

"Whatever happened to that? Too user unfriendly?"

I remember when we had to remove the EPROM chip, erase it, program it with the new BIOS, and re-insert.

Ah, for the good 'ole days, way back in the era when seeing "your PC is now stoned" was funny.

15
0
Silver badge

Re: Didn't PCs used to require switching a jumper to flash the BIOS?

Indeed. Nothing was quite as hilarious as seeing a slightly panicking mate at the uni go into full panic mode when the antivirus he launched because letters were falling on his DOS screen started to display messages with falling letters as well. And that was long before the Matrix! Oh, and no worries - the virus we installed that did that to him was a special, neutered version - it did not infect and disappeared on reboot...

3
0

Re: Didn't PCs used to require switching a jumper to flash the BIOS?

Yes but... as I understand it, physical access to the machine is needed in order to install the hacked BIOS - so a simple hardware switch isn't going to help a lot.

1
1
Silver badge

Re: Didn't PCs used to require switching a jumper to flash the BIOS?

Why would physical access be required to flash the BIOS? Any PC that supports flashing the BIOS with a Windows app (i.e., probably all of them made for the last decade at least) can be flashed with malware that can be made to run on that PC. That malware can be delivered via an email from China, no physical access required.

0
1
Bronze badge
Childcatcher

Re: Didn't PCs used to require switching a jumper to flash the BIOS?

For similar 'wait, didn't this use to have security?' things, try looking for a USB stick with a readonly switch. Now check again whether its a hardware protection or just a bypassable software flag.

Suddenly a floppy/CD for a secure boot medium looks almost sane.

4
0
Silver badge
Thumb Up

Re: Didn't PCs used to require switching a jumper to flash the BIOS?

Yar, I had one of those. An Amiga 1000 (#2038 of the first run). Just bright enough at boot to ask for it's Kickstart "ROM" contents via a floppy disk. It was actually quite handy as I was able to verify which versions of AmigaDOS each file uploaded to the Amiga forums on CompuServe worked with what.

0
0
Silver badge

This wouldn't be (much of) a problem...

...except that UEFI implementations commonly have a network stack. Some even stay running in service mode and listen on your network card. So it's not unlikely that at least some security holes are exposed over the network.

The problem with UEFI is that it is _far_ to complex for the problem it needs to solve. So we can expect loads of security critical problems in there as well as completely new attack surfaces.

29
0
Facepalm

Re: This wouldn't be (much of) a problem...

Yes, but all of them will by cryptographically signed...won't that be exciting.

2
1
Silver badge

Re: This wouldn't be (much of) a problem...

As you say, UEFI in particular is *way* too complex for what it needs to do - basically, provide a way of loading and running the first sector of the disc (ooh, look, two options to lie to the user already!) and a list of peripherals and their states. Making the bios also responsible for approving the operating system image is not really helpful (and of course, a pain if you want to run something other than what came in the box).

There's an awful lot to be said for a little switch on the motherboard to make the bios chip writeable. It shouldn't be possible to rewrite the bios from userland at all.

(Apropos of which - what's the situation if you've turned the UEFI off for a standard bios boot? Is it a standard bios, or is it UEFI pretending?)

11
1
Silver badge

Re: This wouldn't be (much of) a problem...

Its not just the UEFI stuff that is stupidly complex, its all of the pointless "eye candy" that MB makers seem to think you want/need. Really, the only folk who should ever be fiddling with BIOS/UEFI settings are the sort who really know what they are doing, and they are quite capable of using text-mode operations.

Its high time that we started pressing for MB makers to fully and openly support coreboot, at least then you have a chance of getting the source code inspected and maybe bugs fixed. Might even save them money in the long term for support and development.

And yes, I would like to see the return of a physical switch to allow BIOS writing, that would put a stop to most of these issues (aside from pre-installed malware, obviously).

7
1

Re: This wouldn't be (much of) a problem...

How would that work for tablets, phones, and other sealed hardware where you still want to be able to update the bios occasionally?

2
0
Anonymous Coward

Re: This wouldn't be (much of) a problem...

>How would that work for tablets, phones, and other sealed hardware where you still want to be able to update the bios occasionally?

A "locked/unlocked" dip switch beside the sim socket doesn't seem unreasonable to me. Unlike the de facto "locking" and "rooting" pantomime.

If these things weren't designed by/for intelligence agencies there'd be dip switches for "radio" and "mic" there too which actually (physically... verifiably!) disabled those circuits.

The truly sealed disposable crap would have to offer the switches along an edge or under covers of course, for the owner's convenience until the battery fails and it's dispatched off to landfill.

5
0
Silver badge

Re: This wouldn't be (much of) a problem...

"tablets, phones, and other sealed hardware "

The sort with various power & volume buttons on the side that could be held down in some odd manner to enable it passers?

1
1
Silver badge

Re: This wouldn't be (much of) a problem...

" Some even stay running in service mode and listen on your network card."

Unless its running on a server IMM then how exactly does it "stay running" if the OS doesn't call it periodically? Its not a hypervisor, its just code sitting in a ROM, not magic.

1
1
Anonymous Coward

Re: This wouldn't be (much of) a problem...

"Its not a hypervisor"

How exactly does one determine that?

2
0
Silver badge

Re: This wouldn't be (much of) a problem...

"How exactly does one determine that?"

The OS checks the ring level its running at against the type of CPU. If its not at or can't switch to the most priviledged level for that CPU then it can assume a hypervisor is sitting between it and the hardware.

0
3
Silver badge

Re: This wouldn't be (much of) a problem...

The problem with UEFI is that it is _far_ to complex for the problem it needs to solve

Don't worry. We'll all be running systemd on top of it. That'll help manage the complexity.

Right?

9
0
Anonymous Coward

Re: This wouldn't be (much of) a problem...

>The OS checks the ring level its running at against the type of CPU. If its not at or can't switch to the most priviledged level for that CPU then it can assume a hypervisor is sitting between it and the hardware.

Nowhere near that simple. Sadly. Bluepill etc?

...and that was back in the halcyon times before "the industry" contrived and installed into our machines: SEPARATE bespoke processors CONSTANTLY running their own bespoke proprietary OSs and bespoke proprietary network stacks in their own dedicated RAM and permanently hooked in to our networks and CPUs with omnipotent omniscient control of the machine. All separate from and with greater privilege than "the most priviledged level for that CPU". Those bespoke proprietary OSs etc, of course, residing on the "BIOS" flash chip and constituting part of a modern "BIOS" payload.

http://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf

3
0

Re: This wouldn't be (much of) a problem...

http://en.wikipedia.org/wiki/System_Management_Mode

Note that the motherboard can enter it via an interrupt entirely behind the operating system's back.

3
0

Re: This wouldn't be (much of) a problem...

And how would a mobo jumper or 'A "locked/unlocked" dip switch beside the sim socket' help, when the threat discussed in the article is one that requires physical access to the machine in question?

2
2

This post has been deleted by its author

Re: This wouldn't be (much of) a problem...

While I agree that a write-protect jumper or switch could help prevent remote attackers from updating a BIOS, it doesn't sound like it would help much at all in the scenario described in the article. A jumper is definitely something a maid or border official could handle within a minute or so. While the article describes it as being performed by someone "unskilled", this might not be an actual maid, but someone posing as one, who's had some practice performing this task. They'll know exactly where the jumper is for the target device, and how to get to it in an efficient manner. Even if they were a "complete noob", whoever put them up to it would have surely shown them how to do it. I doubt many maids will be randomly compromising BIOSes on their own.

And of course, the manufacturer isn't going to hide the jumper in some inaccessible location if they intend for people to actually apply patches. On a laptop or mobile device, it might be accessible from the battery compartment, or some other relatively convenient location.

Also, there should be no need to boot the device to verify that it worked. If there's only a few minutes available, it can simply be assumed that the patch worked. Otherwise, they can try again the next time an opportunity presents itself. If they happened to brick the device, its owner will probably just assume it broke in transit.

As for soldering in a new chip, that would obviously greatly increase the necessary time and skill requirements, as well as the failure rate. There's a pretty big difference between moving a jumper and soldering dozens of tiny pins in close proximity to one another. Again, the whole point of this is that it's something that can be done by someone with little training in a very short amount of time. And sure, there are many other ways a system could be compromised by someone with direct access, but not so many that would allow such relatively undetectable low-level hardware access.

0
0
Silver badge

Re: This wouldn't be (much of) a problem...

" A jumper is definitely something a maid or border official could handle within a minute or so. "

Yes, but seriously protecting against physical attackers is another problem all together. You cannot protect your computer from physical attackers easily. The whole "secure boot" crowd claims that they can, but in reality they only make the problem worse by keeping you from installing a simpler BIOS.

Keep in mind that physical access to a laptop can also mean that the attacker buys the same model you have, then installs a password prompt looking exactly like yours, and then swapping it with yours at a conference. While you enter your password into the fake password prompt, the attacker mirrors the harddisk. And when you notice the mistake he comes back with your laptop, apologizing for the mistake.

0
0
G2
Mushroom

manufacturers are to blame 100%

this ball is in squarely in the manufacturer's court. Almost every device i have encountered so far comes with a disclaimer that you, as user, are shit out of luck if you try to upgrade it's bios/firmware and it's no longer working after that and that the warranty will be voided by ANY changes that you make to the original as-shipped bios. ("any" meaning including trying to upgrade it with a bios downloaded from the manufacturer's site).

Until the manufactures provide full support for bios/firmware upgrading and drop the associated warranty-nuking legalese from the warranty terms, the users won't even consider patching them.

13
0
Silver badge
Mushroom

Re: manufacturers are to blame 100%

I've just looked at the ASUS website and they seem to encourage people to update the BIOS to wit the 8 series m/b has a BUTTON to initiate the update.

Flashing the bios ------->

2
0
Anonymous Coward

Re: manufacturers are to blame 100%

EXACTLY what I was thinking...

> "Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected," Kopvah says.

> "The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments."

Bollocks! Absolute bollocks. The problem is the vendors and the BIOS cartel. 100% vendors and the BIOS cartel.

BIOS and its (astonishingly) even more clusterfuck successor, the name of which I dare not invoke, is an unbelievably opaque morass of unnecessary antiquated obsolete demented crap. It's difficult to imagine that even a very well funded government TLA could contrive a better abomination with which to disseminate little "accidents" if it had been tasked with pwning the whole world's computers. A BIOS is an ancient, barely maintained, bug-ridden clusterfuck when the vendors buy it in. Obsolete before the the hardware even ships, the only "updates" the vendors seem to dare touch are trivial compatibility additions like adding IDs for new CPUs or pissing about with the UI. Blaming the end-user for this is psychotic.

> The need for better BIOS security is "starting to sink in" with top vendors Lenovo, Dell and HP moving to squash flaws in their gear. ASUS Kopvah says a good example of those which had not patched or acknowledged BIOS flaws.

> Some BIOS are woefully insecure. The pair found Giagbyte's BIOS had borked access controls that did nothing to prevent attacks.

See. Told you so! I wonder what, EXACTLY, is supposed to be the point of my flashing on "some woefully insecure BIOS." I'll also happily wager a fiver that even "top vendors Lenovo, Dell and HP" BIOSes are NOT free of "0-days" either.

> "The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments."

Really? REALLY?

Bollocks.

Sincerely,

Incandescent with Indignation, Chipping Sodbury.

PS. +1 to the jumper/dip revival movement, +1 to coreboot. Shirely it's time to put an end to this shit-by-design shit. Sometimes it almost seems like some great unseen power actually wants to keep computing insecure and is scuttling about spewing demented overcomplexity and turbidity to that end. http://www.theregister.co.uk/2015/03/18/is_the_dns_security_protocol_a_waste_of_everyones_time_and_money/

PPS. Thank god these opaque, archaic, over complex, "woefully insecure" clusterfuck blobs are now cryptographically signed by the NSA's Redmond division. Taking away my jumper switch and handing control of my computer to the trusted (by reciprocal definition - as I seem to have been told rather a lot lately) US government certainly makes me feel all safe and fuzzy. They're cryptographically secure clusterfuck blobs now FFS! Awesome!

/indignant ranting

19
0

Re: manufacturers are to blame 100%

It's not just the computer. It's the TV, printer, that streaming box you purchased a couple of years ago and a bunch of other network connected kit that appears to be running Android or BusyBox.

The manufacturers customise the software, do a couple of updates during the first 18 months to fix the most shocking bugs and, perhaps, introduce a few new features. Then that's it. Support is finished and the world rolls on.

I'm not sure what the answer is, I did wonder if manufacturers should be forced to open source their code/build environment for each device as it gets to the end of its support life...

8
1
Silver badge
Facepalm

Re: manufacturers are to blame 100%

There's an interesting insight from someone who actually programs UEFI's here, from a thread on When you have thousands and thousands of different devices, all of which are expected to 'just work', while also providing new features coming from multiple different manufacturers with no governing body, is it any wonder that it's turned into a complete fustercluck?

2
0
Silver badge

Sublime Words Command and Control Surreal Worlds and Virtual Realities/Prime & Sub-Prime Existences

Good steganography beats all bad, which be lesser than quite perfectly secure, cryptography. And all quite perfectly secure cryptography too, for there is always a way into systems and attendant services. They are, after all is said and done, imagined and run by easily corrupted and perverted humans/beings/entities, which in many cases be fronting as departments and businesses.

6
6
Anonymous Coward

@Manfrommars

Ah, the Manfrommars isnt dead after all although his post seem strangely coherent, replicant or braindump?

2
3

This post has been deleted by its author

LDS
Silver badge

You severly understimate the amount of x86 servers out there... and the more your server is "outsourced" somewhere else, the more someone outside your control can physically access it...

And most servers can now even upgrade the BIOS remotely from their management interfaces, for example Dell iDRAC can do it (and several other firmware also, given even PSUs have firmware today)

2
0
Anonymous Coward

<blockquote>2. As described in the article, the attack requires physical access to the machine...</blockquote>

As described in the article

Intel® AMT/vPro™ enabled anywhere?

2
0
Silver badge

"2. As described in the article, the attack requires physical access to the machine. Frankly, if somebody has this, it's always going to be game over."

Indeed, but p0wning the BIOS has the big advantage of getting the SMI and boot stages so it becomes possible to have an infection that is totally transparent to any booted OS, and can't even be seen when booting a rescue CD sort of tool. And if you can automate that to slip in USB, boot and press F11, 30 seconds later job done and power off, that is pretty tidy.

2
2

This post has been deleted by its author

Silver badge
Pirate

require only access to a PC

If you have physical access, then no security will save the owner / user.

6
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017