dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5406
share rss forum feed

Pigitus

join:2004-05-18
Arlington, VA

When BIOS/UEFI has built-in Internet access, what protection there?

Some new motherboards can directly connect to Internet from the BIOS (or UEFI). This makes flashing the BIOS extremely convenient. But it creates a new security problem.

Is there any security software that can monitor and stop BIOS access to the Internet?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

Anything downstream of the Ethernet socket... external firewall seems like your best bet.

Assuming like most people you're on a NATted LAN, I'd suppose there was some way in the router to stop that happening.

(Can't check now, on my way out the door...)

Pigitus

join:2004-05-18
Arlington, VA

1 edit

1 recommendation

Thanks.

Since the BIOS uses the motherboard's ethernet MAC, blocking that MAC in the router (even if possible) would also block my own traffic.

I will have to re-check whether the Verizon ActionTec router can log all traffic by IP address. I don't remember that it did. If it can do so, I could initiate a BIOS flash to get the destination IP address. But even blocking the whole range that includes this IP, would be a flimsy defense, not only because that IP range could change anytime, but because attackers in general could come from anywhere and plant something in the BIOS.

I don't know whether Intel's future Broadwell processor could deal with that open door at the BIOS level. As to Windows' 8 or 8.1 SecureBoot, even if it is effective at ensuring a safe reboot, a wide open door in the BIOS during a computer's normal operation between two reboots seems unsafe enough.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

3 recommendations

I think you're worried about something that won't actually happen. The router is essentially keeping the bad guys at bay, behind the gate. If you directly connected your computer to the Internet without a NAT router in between your machine and the global Internet, then I'd have something to worry about.

Even then, I don't think the actual low-level UEFI process that connects to the Internet is active in UEFI unless you specifically want it to be active, that is, it's only active when you go into UEFI mode to go and trigger a BIOS/UEFI update. You can't attack what's not running or open to attack. If the operating system is running (Windows or Linux), the OS is has taken over the Ethernet controller and the UEFI sub-system doesn't have access to it anymore so the attack would then have to come through the OS not UEFI.
--
Tom
Tom's Tech Blog


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB
+ 1 ..... agreed with the right routers security configured, you could get all STEALTH. Test it here, trusted source [ »www.grc.com/x/ne.dll?bh0bkyd2 ]

Pigitus

join:2004-05-18
Arlington, VA

1 recommendation

You make good points.

1. The router is essential, indeed, in blocking inbound attacks, especially if it has a SPI firewall in addition to its firewall-like natural mode of operation.

2. The OS in addition to a software firewall inside the computer would take control of the LAN traffic.

3. If I get that kind of motherboard, the grc test will be a good idea to try for holes, although the router once again would be of great help.

Thanks for helping me think through this novelty. The potential remains, however, for something to be planted in the BIOS/UEFI while the flashing goes on. With what we're learning these days about governments using their big muscles to fiddle with routers -- and why not motherboards? -- it is not farfetched to keep that potential in mind.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

said by Pigitus:

Thanks for helping me think through this novelty. The potential remains, however, for something to be planted in the BIOS/UEFI while the flashing goes on. With what we're learning these days about governments using their big muscles to fiddle with routers -- and why not motherboards? -- it is not farfetched to keep that potential in mind.

UEFI updates are digitally signed by the manufacturer of the motherboard to make sure that you are downloading a valid update. In other words, you can't just download any old UEFI file and install it; it won't work if it's not digitally signed.

As for governments getting their hands into the hardware... there's not much we can do about that. If they do do that, we would most likely not even know that that's happening.
--
Tom
Tom's Tech Blog

Pigitus

join:2004-05-18
Arlington, VA
reply to Pigitus
One last question. Suppose that, somehow, a malware was planted in the BIOS. And suppose it wants to communicate with the outside world while an operating system is already loaded. Finally, suppose that a firewall watching outbound traffic is good enough to halt the request and ask the user's authorization for granting or stopping request.

How do you think that request will look like? A strange sounding process name? What kind of folder path will be associated with that name?

If that rootkit (or something like that) loads before the OS (and perhaps even before the firewall), could it not sneak through before the OS and the firewall stop anything?


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

If the OS is already loaded, there's not much the BIOS/UEFI can do because the OS already has control over the Ethernet controller.

As for a virus that infiltrates the OS after the UEFI hands over control of the hardware to the OS, it would have to happen at the bootloader phase of the boot process (sometimes known as a "bootkit"). It would have to load itself into the bootloader which then loads it into the OS.

SecureBoot is supposed to make this "impossible" since all of the parts of the boot process is supposed to be digitally signed.
--
Tom
Tom's Tech Blog

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to Pigitus
as mentioned the BIOS is out of the loop once OS is up.

Also the internet access ability of the BIOS may not even function unless you are in the config screen. It might be something that is loaded when you push F2/Del at bootup.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports

James_C

join:2007-08-03
Florence, KY

1 recommendation

No. OS gaining the ability to use the ethernet controller in no way keeps the BIOS from using it. However, I think it is all unwarranted paranoia. Just because a board can go to a specific URL to get a bios update, that in itself does not make it vulnerable to anything even without a router, with the one exception that if the bios site was hacked, a virus inserted into the bios file with a valid checksum and digital signature, THEN you updated the bios with that you could become infected.

However, your infection risk is equal if you did it the old fashion way of downloading that infected bios yourself and manually updating it from DOS or through an OS app... so essentially, again there is no increased risk.


Raphion

join:2000-10-14
Samsara
Reviews:
·Verizon FiOS

1 recommendation

reply to trparky
said by trparky:

If the OS is already loaded, there's not much the BIOS/UEFI can do because the OS already has control over the Ethernet controller.

Not strictly true, at all. See Intel vPro, it has, among many other powerful features, a VNC server that runs entirely within the UEFI itself, full time, completely independent of any OS, even allowing full system access and control whether the OS is running or not.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

1 recommendation

said by Raphion:

Not strictly true, at all. See Intel vPro, it has, among many other powerful features, a VNC server that runs entirely within the UEFI itself, full time, completely independent of any OS, even allowing full system access and control whether the OS is running or not.

Actually this functionality is implemented in the firmware on the NIC and not in UEFI. It is available even if UEFI is not enabled or was not used to boot the OS. Once the OS is running UEFI is no longer in the picture.


Chubbzie

join:2014-02-11
Greenville, NC
reply to Pigitus
At one point, there were Gateway desktops that had a phone home feature enabled in the BIOS. Our sniffers would still see the traffic after the OS was loaded.

Also, think about iDRAC or IPMI features that are often loaded by default in corporate environments. If the machine(s) are questionable just fire up a sniffer and watch for any erroneous or nefarious traffic.


Chubbzie

join:2014-02-11
Greenville, NC
reply to James_C
Don't forget about DNS hijacking... build mirror of manufacturer's site, knock the BIOS archive offline, hijack DNS, user goes to update BIOS and voila`.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to James_C
Where does the BIOS get its IP address from? The TCP/IP stack is entirely in the OS (absent offload-engine features) so one would suppose firmware sharing the NIC needs its own stack if it will be able to communicate off-LAN.


novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
reply to Pigitus
Reminds me of the p3 serial number scare of the 90s-01/01. Nothing came of that but a few sites thought it would be cool to have p3 only content. They went the way of the dodo with in weeks.

James_C

join:2007-08-03
Florence, KY
reply to Chubbzie
Not going to happen. That requires significant work, wouldn't be persistent, and offers no monetary gain for hackers. They wouldn't even get a giggle out of trashing someone's motherboard because all the user knew is next time they went to start the system it didn't work.

James_C

join:2007-08-03
Florence, KY
reply to dave
Not a big deal, consumer grade boards have had a PXE stack for network booting for about 15 years.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
PXE requires an IP address from DHCP, no? But the DHCP server is presumably going to hand out one IP address per MAC, which gives trouble sharing the IP address between OS and BIOS.

I could be wrong here, I don't know these protocols in minute detail, but it seems that the pre-execution services aren't going to work too well post-execution.


Chubbzie

join:2014-02-11
Greenville, NC
reply to James_C
said by James_C:

Not going to happen. That requires significant work, wouldn't be persistent, and offers no monetary gain for hackers. They wouldn't even get a giggle out of trashing someone's motherboard because all the user knew is next time they went to start the system it didn't work.

Start the system it didn't work? That makes no sense, we're talking about injecting and/or reassembling a BIOS with subverted code. The newly injected BIOS then fed back to the end user(s). DNS hijacks are fairly simple, especially when you have access to an internal network.

Your view of supposed "hackers" is rather elementary in thinking its always about financial gain. One of the primary methods of infiltrating and subverting happens to be the stepping stone approach. Why hack an entire network and risk exposure when you can just as easily compromise one particular machine (manager's, CEO's, etc.) that is already granted full or partially full (escalate privileges) access to what you need?

James_C

join:2007-08-03
Florence, KY
Paranoia has taken hold. Show us anyone who has been hacked like this. It's more likely an intruder will burst through the door to your room at any second but do you have a gun pointed at the door "just in case"? Intruders walking in a door is also "fairly simple", and "rather elementary", yet it really happens.

Further you can't just target one particular machine with this type of exploit because you don't even have any idea what motherboard it has, where it would pull a bios file, etc unless you had already compromised that system. It's all paranoia, people don't go to such measures without a financial expectation and they don't reinvent the wheel so they can wait around for YEARS with the hope that someday some particular system might have the BIOS updated.

FYI, corporate systems generally don't ever get their bios updated after deployment. It's a fixed config tested to work and left that way.

If we want to take the stance that nothing is truly secure, then why even fixate on it since they'll just get in another way, something already proven to work in the wild? I don't think I can use the word paranoia enough times in this topic so I might as well stop posting.

Pigitus

join:2004-05-18
Arlington, VA

1 edit
reply to novaflare
Someone mentioned paranoia. How many people truly understand this business?

I have an infra-primitive intuition of how it works and just hope to enrich my notions with complementary notions from others. That generates more light than thinking alone (unless I set an exorbitant amount of time to go the very bottom of many technical issues, which is totally improbable).

In any case, just to pick up a few points, F2 only pauses booting and opens an interface. F2 does not load the BIOS. The BIOS is just there and powered. It never goes away, even if you turn the computer off. To make it inactive, you'd have to take its small battery off. BIOS never really surrenders control to anyone, the OS included. It's normally designed to work passively with the OS and will do what the OS asks it to do -- if the manufacturer wants to say in business. For instance, click in the OS to turn a USB or LAN port, and the BIOS will instruct the board to turn off those things.

But now that motherboards have more of their own memory to work with (compared to the old BIOS standard), more features can be designed to give the physical layer (the motherboard) greater autonomy, without the OS's or CPU's help. A graphical interface (UEFI) is just one of them. One motherboard manufacturer now makes the BIOS Internet-flashable directly from the BIOS interface. You can even directly send a mail to technical support directly from the BIOS. New stuff, as far as I know. Someone threw in a "no big deal", because the technology has been around for 15 years. Really? Despite serious competition that has actually driven Intel out of the business, the other manufacturers are still not offering these conveniences, although I suspect they will soon catch up.

So, the LAN controller and the BIOS are physically and electrically part of increasingly capable motherboards. If the designers want permanent connection with the Internet, I suspect nothing can prevent them to do so, unless the cable is detached from the LAN port. I cannot confirm that anyone does it now, but there is nothing that prevents astute engineers to keep the motherboard connected to the Internet all the time, whether the computer is on or off, whether the OS is on or not, or whether the CPU is on or off -- as long as the on-board battery works. In fact, about 5 volt-amperes are consumed off the grid by a typical computer as it appears to be "turned off", according to my own measurements (the measuring device consumes about 5 VA of its onw). Small things are being powered on the computer's main board when most people think the machine is "off". Turning off the PSU reduces external electrical consumption to zero, but, even then, the CMOS battery is still there to give low power to whatever the designers want to power. So, keeping a computer connected to the Internet even with just the CMOS battery is feasible, let alone with the power of a dormant PSU in a turned off computer.

The same general idea is behind what we hear nowadays of cell phones that are still trackable when turned off.

Someone said that the flashing server could be hacked. Yes. Hacking servers is not futuristic. It's just one of many ways to turn low level communication against the user.

Can future Intel and AMD chipsets do anything in the future to control the integrity of the motherboard in conjunction with SecureBoot. I hope so. Could we threaten to ban manufacturers from selling here boards that surreptitiously communicate outside OS control? That would be interesting.

Plenty of not-so-lazy actors (amateurs, bandits, and states) have already proven their eagerness to push the technical and ethical boundaries of security. So, please, no more soporific allusion to paranoia or false scare.

Pigitus

join:2004-05-18
Arlington, VA
Maybe one way to deal with this problem is a small redesign of LAN circuits. For example, create 3 gates with perhaps 3 chips.

Gate 1 allows current just to POWER the LAN port. The second chip would only allow electricity in the form of DATA signals that flow to and from the motherboard for motherboard purposes only. This is where the direct Internet BIOS flashng data would go through. Gate 3 would channel traditional data traffic (by the OS and by the software it manages).

When the OS disables a connection (e.g., through Windows' Control Panel), electricity would be turned off through gate 1. Gate 3 would do what the OS has traditionally done: channel upper level data to and from the LAN port. The innovation would be for the OS to instruct the motherboard to turn off gate 2 to stop all motherboard-related data traffic. This hard-wired separation of data channels would give the OS and security software a grip on this emerging threat vector.

As far as I know, we currently don't have a threat, because I believe this motherboard manufacturer is doing no more than what it advertizes: BIOS-initiated 1) internet flashing and 2) tech support. Any other traffic could be easily caught and that would destroy its reputation. But I anticipate that the new convenience (the motherboard's increased independence) will create a new threat vector (as typically happens in the IT world).


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

reply to dave
No NAT in IPv6. Plan accordingly for the future.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

Apparently, there is some built in protections that are part of the IPv6 implementation that should stop most outside attacks from coming into the network. I asked this question of the professor that was teaching my Cisco CCENT class. He confirmed with me that there are protections built into the IPv6 protocol for this very reason.
--
Tom
Tom's Tech Blog


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

"the IPv6 implementation"....ummm...OK, some specific implementation, such as Cisco's? All software can have flaws, including any network parts of a UEFI implementation. It all depends on your site's requirements as to what is to be allowed and what isn't, including having some firewall which does not depend on NAT to protect the LAN to which it is attached. Perhaps this could take the form of not allowing traffic which does not correspond to traffic initiated from the LAN (e.g., TCP with only SYN, but others as well). Maybe some site's requirements say that they know they have some percentage of buggy and exploitable UEFI on mainboards, so those have to be isolated or firewalled somehow so they don't end up with malware on them.

As others have pointed out, unless some flaw can be exploited, the most prudent thing a UEFI implementation could do is demand any updates (or anything else for that matter) that it fetches have a valid digital signature. That would seem to be a requirement (perhaps unwritten) of SecureBoot.

One supposedly mandatory to implement but optional to use feature in IPv6 which springs to mind is IPsec, which would use digital signatures and encryption to prove identity and resist tampering. I wonder what specific protections were thought of in that discussion.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!


Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
kudos:2

2 recommendations

reply to Pigitus
use a PCI_E ethernet card if you are that worried
--
Live Free or Die Hard...