LightEater malware attack places millions of unpatched BIOSes at risk

[silicon_toad2000]

http://betanews.com/2015/03/21/lighteater-malware-attack-places-millions-of-unpatched-bioses-at-risk/

Two minutes is all it takes to completely destroy a computer. In a presentation entitled "How many million BIOSes would you like to infect?" at security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments.

The attack could be used to render a computer unusable, but it could also be used to steal passwords and intercept encrypted data. The problem affects motherboards from companies including Gigabyte, Acer, MSI, HP and Asus. It is exacerbated by manufactures reusing codes across multiple UEFI BIOSes and places home users, businesses and governments at risk.

Talking to The Register, Kopvah explained that the problem is made worse because of the fact that very few people take the trouble to update their BIOS. This is something the pair are hoping to change by highlighting the ease with which an unpatched BIOS can be infected with malware.

Introducing the vulnerability, Kallenberg and Kovah said:

   

So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a shit!

The malware can be used to infect huge numbers of systems by creating SMM (System Management Mode) implants which can be tailored to individual BIOSes with simple pattern matching. A BIOS from Gigabyte was found to be particularly insecure.

   

We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again.

The vunerability is something that has already been exploited by the NSA, but the researchers are encouraging businesses and governments to take the time to install BIOS patches that plug the security hole.

[White Stripes]

i still dont know why motherboard vendors dont include the 'bios write protect' jumper anymore...

[GhostShip]

I,m puzzled, how is this not new vunerability leveraged without physical access to the machine ?

We all know of such issues in real life but the access requirements allow us to sleep easy, is this story about a peice of code that writes the bios while the main o/s is running or something else ?

[White Stripes]

....just had a kernel driver write an invalid instruction....

...writes the bios while the main o/s is running...

yep... need root (or admin as windows calls it) to do it tho... harder to get on a linux/unix (mac.. android..) system than a typical windows install so the code could be delivered in anything from a worm to a 'look at this' trojan email...

[Pri]

It's possible to for example visit a malicious website that uses a vulnerability in the browser to jump out of the browsing sandbox to the OS then use another vulnerability in the OS to get kernel level access and then execute the instruction to overwrite part of the BIOS making the system unbootable.

The only fix then would be to either get a new BIOS chip or own a motherboard that allows you to flash the BIOS using zeroboot via a USB stick. Some Asus motherboards support this feature, my own one does and many of their newer boards from 2012+. Basically you load the BIOS firmware on a USB flash drive and at the back of the motherboard is a USB port clearly labelled for BIOS updates only, it's usually flipped vertically from the other USB. You put the stick there, apply power to the board (but it doesn't need to be booted or even have RAM or a CPU installed) and then hit the Flash button at the back of the I/O panel.

I'm glad Asus added that functionality. Also if you have a motherboard with IPMI (this is rarer on consumer stuff, mainly found on server and workstation boards) you can flash the BIOS over a network connection through a webpage hosted by a daughter board / auxiliary chipset on the motherboard and that too would fix the BIOS after being corrupted.

Another safe guard if you have a board with dual BIOS chips, many do now, including my own, most of Gigabytes and Asus's boards include this feature you can simply hit a button on the motherboard or switch a jumper to switch chips allowing you to re-flash the broken chip. Just obviously don't boot back in to your operating system until you've reflashed the bad chip incase whatever caused the problem is still there.

And finally you can just buy a new BIOS chip pre-flashed with your motherboards firmware. I've done this in the past for a server board that was too outdated for me to update as it didn't support the CPU I intended to use in it, this is the company I used and they charge about $13 for a chip which is small potatoes really: http://www.bios-chip24.com/ they had the new chip to me within 3 days and it worked perfectly, had the exact firmware on it that I requested and booted fine.