85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-19 10:47 pm
Noobs can pwn world's most popular BIOSes in two minutes ¿ 9488;Hmmmm ...."Millions of flawed BIOSes can be infected using simple two-minute attacks that don't require technical skills and require only access to a PC to execute. Basic Input/Output Systems (BIOS) have been the target of much hacking research in recent years since low-level p0wnage can grant low-level attackers the highest privileges, persistence and stealth. LegbaCore researchers Xeno Kopvah and Corey Kallenberg revealed the threat to El Reg ahead of a presentation How Many Million BIOSes Would You Like to Infect? at CanSecWest tomorrow. "Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected," Kopvah says. "The high amount of code reuse across UEFI BIOSes means that BIOS infection can be automatic and reliable"...[ » www.theregister.co.uk/20 ··· es_hack/ ] |
|
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2015-Mar-19 10:52 pm
Requires physical access, apparently. |
|
TheMG Premium Member join:2007-09-04 Canada MikroTik RB450G Cisco DPC3008 Cisco SPA112
1 recommendation |
to 85160670
I've always gone under the assumption that if someone's got physical access to a computer, they can do pretty much anything.
Heck even in the old days when BIOS were stored on UV-erasable EPROM chips, someone could theoretically pop the computer open and swap out the chip with one containing malicious code. |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2015-Mar-20 7:13 am
True, but I wouldn't call this nothing. Specifically the Register article points out that this means you're not automatically safe by booting up a trusted live CD on untrusted hardware. |
|
pandora Premium Member join:2001-06-01 Outland
1 recommendation |
to TheMG
said by TheMG:I've always gone under the assumption that if someone's got physical access to a computer, they can do pretty much anything. I assume if a BIOS can be flashed, it can be hacked regardless of physical access to the device. |
|
nony Premium Member join:2012-11-17 New York, NY 1 edit |
nony to TheMG
Premium Member
2015-Mar-20 8:56 am
to TheMG
said by TheMG:I've always gone under the assumption that if someone's got physical access to a computer, they can do pretty much anything. Physical Access? I am pretty certain that we virtualized physical access a (long) time ago |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-20 10:52 am
Will the TRUTH see the light ¿ ¿...."CANSECWEST VANCOUVER 2015 CanSecWest focuses on emerging information security research and topics such as auditing, penetration and applied digital security. UEFI Forum member, Vincent Zimmer of Intel, will present "UEFI, Open Platforms and the Defender's Dilemma." This session targets end-users and other parties building a hardened UEFI-based platform with open source EDK II and full-opened source platform code. Information on the UEFI and PI specifications as well as open source implementations like Tianocore will be included."...[ » www.uefi.org/node/851 ] |
|
85160670 |
85160670 (banned)
Member
2015-Mar-20 11:02 am
Hmmm..."DLL Hijacking' on OS X? #@%& Yeah! - Patrick Wardle @patrickwardle, Synack Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment). By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijack libraries, or detect if you've been hijacked." [ » cansecwest.com/speakers.html ] & "Apple OS X at Risk From DLL Hijacking Exploit [ » www.eweek.com/security/a ··· oit.html ] |
|
KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ
1 recommendation |
to 85160670
Losing physical access control means you lost the data anyway, Most people do not encrypt the drive either.
As for why no BIOS goes updated, Simple if it turns on people think its fine. Drivers remind you to update.. And people Google how to do a BIOS update and find horror stories of bricked machines because of a failed update. So they simply never do it. |
|
1 recommendation |
said by Kearnstd:As for why no BIOS goes updated, Simple if it turns on people think its fine. Drivers remind you to update.. And people Google how to do a BIOS update and find horror stories of bricked machines because of a failed update. So they simply never do it. It does not help that to this day many manufacturers still recommend against performing such updates unless trying to fix a specific issue that is occurring. Most, sadly, do not consider security weakness to be such a case. |
|
dave Premium Member join:2000-05-04 not in ohio
1 recommendation |
dave
Premium Member
2015-Mar-21 10:15 am
BIOS update is inherently risky (especially in light of my maxim that 'firmware is software written by hardware engineers' - which is a snide elitist insult in case you don't get it) so it is a good thing to suggest not updating unless you need to. Changing the BIOS can change the entire machine behavior, not to mention the risks inherent in failed updates. I've been implicitly 'testing' my current BIOS for a couple of years, what guarantees do I have about a new version? I don't want 'BIOS update Tuesdays', thanks.
For a 'security' issue, I would decide whether or not to update based on my opinion of the risk. I can't see a physical-access issue on my desktop machine worrying me a whole lot. |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB 1 edit |
85160670 (banned)
Member
2015-Mar-21 10:35 am
S_M_A_R_T ...... dave, seldom that BIOS borked {{{ SMILE }}} "Introducing the vulnerability, Kallenberg and Kovah said: So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a shit! The malware can be used to infect huge numbers of systems by creating SMM (System Management Mode) implants which can be tailored to individual BIOSes with simple pattern matching. A BIOS from Gigabyte was found to be particularly insecure. We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again"...[ » betanews.com/2015/03/21/ ··· at-risk/ ] |
|
1 recommendation |
to dave
said by dave:BIOS update is inherently risky (especially in light of my maxim that 'firmware is software written by hardware engineers' - which is a snide elitist insult in case you don't get it) so it is a good thing to suggest not updating unless you need to. I wasn't implying whether I agreed or not. It should be noted that "physical access" is getting blurred. The OP's article reference pounces on the fact that BIOS's aren't updated regularly and that it is the end-user's fault. Your point supports my point that this isn't really an end-user problem. It seems everyone and his uncle is trying to jump on the "publicize security risk" bandwagon by hyping even the most irrelevant items. Not that there isn't a specific concern in most cases, but it seems that they are being blown far out of proportion in many cases. While reading that article I started to lose faith in what is to be demonstrated. This quote: "Then we'll boot up the infected HP system and show how LightEater can use the Intel Serial Over LAN technology to exfiltrate data from SMM (System Management Mode), without needing a NIC-specific driver. And we'll show the uber1337 'rot13' encryption which will blind network defenders to what the SMM attacker is exfiltrating," he says. almost made me stop reading. There really isn't much substance there at all, let alone for anything not already known. To start with rot13 is nothing more than simple obfuscation that has been around for at least four decades. There are an infinite number of ways to do that (IE: it is nothing special and certainly from from 'ubber1337') |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2015-Mar-21 11:07 am
I assumed the part about rot13 was sarcastic commentary (as in, any trivial crap will fool the average user). |
|
1 edit
2 recommendations |
to dave
said by dave:...'firmware is software written by hardware engineers' - which is a snide elitist insult in case you don't get it... Yup, I get it. BTW software is something written by people that think that everything is virtual (no hardware) PS: I haven't updated a BIOS in over a decade. PPS: I have have disassembled, patched, and flashed BIOS'es in the past despite being a "hardware engineer" |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
2 recommendations |
to dave
said by dave:BIOS update is inherently risky (especially in light of my maxim that 'firmware is software written by hardware engineers' A simple write-protect switch/jumper to Flash solves the problem. Oh... geeze... programmers will want to make it a soft config bit... don't they ever learn? |
|
|
StuartMW
Premium Member
2015-Mar-21 11:41 am
said by Bill_MI:... don't they ever learn? No |
|
StuartMW |
to Bill_MI
Old EE saying quote: Beware of programmers with screwdrivers.
|
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI
1 recommendation |
In all seriousness, the old security-vs-convenience is in full play here. Jumperless motherboards are convenient, yet the cost of BIOS security is directly sacrificed.
And yes, you *should* need a screwdriver to Flash BIOS. Problem solved. |
|
1 recommendation |
StuartMW
Premium Member
2015-Mar-21 12:06 pm
Most BIOS flashers I've used require the uP to be in real mode vs protected mode (what Windows and most other OS'es use). That requires a reboot and booting (into MS-DOS or equiv.) off a CD/USB drive (or floppy in years gone). |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI |
I know Dell can update BIOS from Windows. ICBW but I don't think it requires a reboot to actually do it - that the reboot is just to get new settings. Scary! |
|
dave Premium Member join:2000-05-04 not in ohio |
to Bill_MI
No, I mean risky in the sense that if something goes wrong during the BIOS update, you may end up with a broken machine. Which previously was working just fine, except someone told you that you 'needed' to update it. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
1 recommendation |
I didn't mean to imply it wasn't risky. It surely is when you change system-critical code. Kill power during the process to assure destruction. "Physical access" is still a layered concept. Like a USB port vs. motherboard jumpers being quite a different attack surface. And I trust you with a screwdriver, Dave (is he laughing? ). |
|
|
to StuartMW
said by StuartMW:Most BIOS flashers I've used require the uP to be in real mode vs protected mode (what Windows and most other OS'es use). That requires a reboot and booting (into MS-DOS or equiv.) off a CD/USB drive (or floppy in years gone). There is no outside signal signalling that the CPU is in real mode. It is done for convenience, to simplify the software for the timing of the output cycles used to access the flash. You can very well flash the BIOS in protected mode too. |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
to Shady Bimmer
Are there any bios variants that can be flashed from with in windows out there that are common. I know some of the more geekier mother boards had that ability. But are they in common use? |
|
|
StuartMW
Premium Member
2015-Mar-21 2:51 pm
I haven't seen a BIOS flash program that actually does the work from within Windows. What I have seen is Windows programs that schedule a boot-time console program to run at the next reboot--that is before Windows is running.
Every flasher I've seen requests a hardware reset (or power cycle) after programming. |
|
|
to StuartMW
said by StuartMW:Most BIOS flashers I've used require the uP to be in real mode vs protected mode (what Windows and most other OS'es use). That requires a reboot and booting (into MS-DOS or equiv.) off a CD/USB drive (or floppy in years gone). Many manufacturers, for a very long time, have provided windows utilities that stage the firmware for activation upon reboot. "segmented" EEPROMs make this much easier (and safer). At one time a jumper had to be moved to enable the update process (by any means) but that functionality is largely disappearing. Many manufacturers now also offer "recovery" options, though these generally require a jumper be set or moved. No special booting is required - just a USB device formatted FAT with the bios image file. No OS or OS support is needed. I haven't had to boot from or use a DOS-bootable device, or any extra device for that matter, to update firmware in a very long time. |
|
Shady Bimmer |
to Nanaki
said by Nanaki:Are there any bios variants that can be flashed from with in windows out there that are common. I know some of the more geekier mother boards had that ability. But are they in common use? Intel, Dell, HP, IBM, Asus, SuperMicro all have such options. In fact many extend this with centralized management utilities for corporate/enterprise environments. "Push" the BIOS update from a central console, receive confirmation the updates are complete, then reboot. These all have windows-based installers that do not require booting off another device, and in several cases heavily recommend that option over others. |
|
1 edit |
StuartMW
Premium Member
2015-Mar-21 3:30 pm
said by Shady Bimmer:These all have windows-based installers... Just in case the distinction isn't clear. To my knowledge these (Windows) programs simply schedule/stage the flash update process at the next reboot (as a console program) and don't flash the BIOS "live" while Windows is running. I've also seen some console programs that allow the process to be cancelled or require confirmation before proceeding. My point is that I don't think standard BIOS flashers are "silent" (a malicious one could be of course). Users ignoring, or not seeing, such notifications is another matter. |
|
2 recommendations |
to dave
said by dave:No, I mean risky in the sense that if something goes wrong during the BIOS update, you may end up with a broken machine. Which previously was working just fine, except someone told you that you 'needed' to update it. This is where segmented EEPROMs are becoming far more common. There are actually at least two copies of the BIOS/firmware that may be used during boot. The update process typically follows a simple process: 1) Verify and validate image used as source. 2) Erase and re-flash one segment with new image. 3) Verify and validate updated segment. 4) Erase and re-flash alternate segment with new image. 5) Verify and validate alternate updated segment. 6) Power cycle. If anything goes wrong during the update of the first copy, the alternate copy (which hasn't been touched) would be used for boot. If anything goes wrong during update of the alternate copy, the first copy (which has been successfully updated and validated) would be used to boot. Some update processes will stage the new image in a small bit of NVRAM, to be used to update both copies during reboot and others will actually update the first copy live and update the second copy on reboot. This process is largely transparent but has been in place in some form for many years. In fact some boards (Asus, Intel, IBM at least) have an independent emergency BIOS that is never touched and is specifically used to recover from a catastrophic update failure. |
|