MANILA, Philippines – Researchers at the CanSecWest conference in Vancouver, Canada, revealed on Friday, March 20, a proof-of-concept that let them hack the BIOS chip of computers.
A BIOS chip boots a computer and helps load the operating system on your computer. Once it is hacked, someone could potentially plant malware into it.
Because the BIOS chip operates below antivirus software, it's not scanned by them, meaning that malware on a BIOS chip can remain undetected and live even after an operating system wipe.
Kovah and Kallenberg also found a way to gain high-level system privileges for their BIOS malware and get past modification protections on the BIOS to reflash the BIOS and place in their code. This let them get into specialized operating systems, like the Tails OS, that are used for stealth communications and the handling of sensitive data.
Kovah and Kallenberg also explained that the vulnerabilities they found were present in 80% of the computers they examined, including Dell, Lenovo, and HP computers, due to how BIOS chips share some of the same code.
The vulnerabilities – which they've termed "incursion vulnerabilities" – are numerous enough that a script written to automate the process of finding them eventually stopped counting because it found too many openings to exploit.
Kovah explained, “There’s one type of vulnerability, which there’s literally dozens of instances of in every given BIOS.” Despite disclosing the vulnerabilities to vendors, with patches being made but not released yet, few people have applied BIOS patches.
"Because people haven’t been patching their BIOSes, all of the vulnerabilities that have been disclosed over the last couple of years are all open and available to an attacker," Kovah added.
Their research also indicated that while this exploitation could be done remotely, a physical attempt to take over the system can be done in around two minutes on some machines.
Snowden's PC unsafe
The malware that Kovah and Kallenberg developed, called LightEater, takes advantage of the incursion vulnerabilities to hijack the system management mode (SMM) and thus gain high-level privileges in a user's system. The SMM is an operations mode in Intel processors that firmware uses to perform functions beyond administrative or root-level privileges.
This means that once they hijack this, they have a persistent, unseen foothold on a system. They can then read all the data and code that appears in a machine's memory.
This even affects specialized operating systems like the Tails OS, letting LightEater read and store data from the OS then extract it later on. The Tails OS was used by Edward Snowden and journalist Glenn Greenwald to handle NSA documents Snowden had revealed.
Kovah said their attack shows that even the operating system Snowden uses to keep himself safe isn't safe from the NSA or other people who can build sufficiently sophisticated malware. – Rappler.com
Victor Barreiro Jr is part of Rappler's Central Desk. An avid patron of role-playing games and science fiction and fantasy shows, he also yearns to do good in the world, and hopes his work with Rappler helps to increase the good that's out there.