The boys Xeno Kovah and Corey Kallenberg, regulars at the major security conferences, gave a presentation at the CanSecWest security conference in Vancouver this past week, on how to hack BIOSes.
Xeno and Corey, previously of MITRE (you know the non-profit organization that manages Federally Funded Research and Development Centers (FFRDCs) supporting the DOD, the FAA, the IRS, the DHS, and NIST) fame, have gone out on their own at LegbaCore.
Their first major bit of research is a working proof of concept of owning BIOS Chips around the globe. The advantage of infecting at the BIOS level is obvious, it would not matter what operating system sat on top of the hardware or how many times you reinstalled an operating system on the infected hardware the Malware would be persistent.
The less obvious advantage of infecting the BIOS is that you have low level access to the rest of the hardware, including the hard disks, the video cameras and the RAM. Of course you will also be invisible to any host based antivirus, although the network detection stuff should still be able to pick up your communications once you reported back to your command and control.
The concept of hacking the BIOS is not a new one, numerous documents released as part of the Snowden stash pointed to an active NSA program of BIOS infection and malicious implants, including intercepting servers on the way to end customers to plant their backdoor.
What is interesting about this specific presentation is that the boys have made the process of BIOS compromised as easy as clicking a button, bringing the capability to any script kiddie (assuming that they could get hold of the software or a replicated version of it. Watch this space.) out there wanting to make a name for themselves.
Previously it was expected to pull off such an attack you would need physical access to a system, not anymore, using “incursion vulnerabilities” attacks can be launched through remote exploitation, like a basic Phishing email.
Legbacore analysed over 10,000 enterprise grade (think business server) machines and found that 80% were vulnerable to the BIOS attacks. Their proof of concept malware, dubbed LightEater, hijacks the system management mode to gain escalated privileges, once compromised the attackers had free access to higher level hardware, including being able to access secure memory to exfiltrate data.
Should we be worried about this type of attack, is it feasible? Well Kaspersky have already reported on finding compromised systems in the wild, specifically where the BIOS was targeted, believed to be a Nation State orientated attack. Now infecting a BIOS is as easy as sending a phishing email.
Ask yourself this question, when was the last time you patched your BIOS? Exactly!
Checkout some of Xeno and Corey previous presentations at Defcon below.