How Many Million BIOSes Would you Like to Infect?

Corey Kallenberg, Xeno Kovah
March, 2015
Cite Slides (PDF) Whitepaper (PDF) Demo Video 1 - Infecting ASUS Demo Video 2 - Infecting HP Demo Video 3 - Attacking TAILS Demo Video 4 - Bricking a Gigabyte motherboard with “DualUEFI” backup BIOS, which is supposed to prevent bricking

Abstract

Because people don’t ever patch their BIOSes, it is extremely likely that the vast majority of systems in the wild are vulnerable to at least one known exploit. We made public the details of the new SMM “Incursion” vulnerabilities (CERT VU# 631788, reported Oct 29th), that can be found automatically from SMM dumps. We showed the “LightEater” SMM implant stealing GPG keys/passwords/decrypted messages from Tails on an MSI system. We also showed how an unskilled attacker can infect a BIOS with an off-the-shelf Dediprog programmer, by just pressing the start button. This was done against an HP system, from which LightEater subsequently used Intel Serial-Over-LAN to exfiltrate data over the network in a NIC-agnostic way. We also showed infecting an Asus system, with LightEater installing kernel-mode rootkit style hooks into Windows 10 preview, to get notified every time a process loads. We then provided data analysis evidence that indicated that UEFI systems are mostly homogeneous as far as an attacker is concerned, and consequently thousands of BIOSes could easily be hooked for the insertion of implants in an automated fashion.

Type
Conference paper
Publication
In CanSecWest 2015

Unfortunately CanSecWest never released the video of this talk.

firmware security BIOS security BIOS attack firmware integrity verification firmware vulnerability assessment secure boot attack
Xeno Kovah
Xeno Kovah
Dark Mentor Level X

Hacking firmware like it’s no big deal.