G.Skill TridentZ5 RGB DDR5 7200 CL34 2x16 GB review
ASUS TUF Gaming B760-PLUS WIFI D4 review
Netac NV7000 2 TB NVMe SSD Review
ASUS GeForce RTX 4080 Noctua OC Edition review
MSI Clutch GM51 Wireless mouse review
ASUS ROG STRIX B760-F Gaming WIFI review
Asus ROG Harpe Ace Aim Lab Edition mouse review
SteelSeries Arctis Nova Pro Headset review
Ryzen 7800X3D preview - 7950X3D One CCD Disabled
MSI VIGOR GK71 SONIC Blue keyboard review
LightEater malware attacks uEFI BIOSes
I've been wondering about UEFI BIOSes myself for a while now, sure they look and work great, but an uEFI BIOS is an OS on its own, and as such rather vulnerable. At the security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments.
An unpatched BIOS can easily be infected with malware or a virus. Motherboards from companies like Gigabyte, Acer, MSI, HP and Asus are at risk, especially if you are not updating your BIOS on a regular basis towards the latest revision (and let's be frank here, who does ?).
As betanews writes the following on the topic, Introducing the vulnerability, Kallenberg and Kovah said:
So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a shit!
The malware can be used to infect huge numbers of systems by creating SMM (System Management Mode) implants which can be tailored to individual BIOSes with simple pattern matching. A BIOS from Gigabyte was found to be particularly insecure.
We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again.
The vunerability is something that has already been exploited by the NSA, but the researchers are encouraging businesses and governments to take the time to install BIOS patches that plug the security hole.
mmicrosysm
Senior Member
Posts: 743
Joined: 2010-09-02
Senior Member
Posts: 743
Joined: 2010-09-02
#5033905 Posted on: 03/21/2015 05:39 PM
Saw this coming.
Saw this coming.
waltc3
Senior Member
Posts: 1439
Joined: 2014-07-22
Senior Member
Posts: 1439
Joined: 2014-07-22
#5033908 Posted on: 03/21/2015 05:44 PM
I noted in this story the word "implant"...this seems to denote hardware and the implication is that if you cannot get your hands on a machine physically you cannot "implant" and cannot crack secure boot. The nature of this "implant" is murky at best...
Also, nobody knows what the NSA does and what it doesn't do. I'm amazed at all of the self-appointed NSA spokespersons there are for the NSA these days...
People don't work for the NSA and yet think they know "all about it"....strange, but true...
I think lots of people may be running their UEFI in Legacy mode without realizing it...run msinfo32 to check...if you see the following two entries you are OK:
Bios mode UEFI
Secure boot state ON
If you have UEFI but you are not using secure boot, those entries will read:
Bios mode LEGACY
Secure boot state OFF
and you are not getting the security benefit of your UEFI when it runs in Legacy mode.
I noted in this story the word "implant"...this seems to denote hardware and the implication is that if you cannot get your hands on a machine physically you cannot "implant" and cannot crack secure boot. The nature of this "implant" is murky at best...
Also, nobody knows what the NSA does and what it doesn't do. I'm amazed at all of the self-appointed NSA spokespersons there are for the NSA these days...
People don't work for the NSA and yet think they know "all about it"....strange, but true...
I think lots of people may be running their UEFI in Legacy mode without realizing it...run msinfo32 to check...if you see the following two entries you are OK:
Bios mode UEFI
Secure boot state ON
If you have UEFI but you are not using secure boot, those entries will read:
Bios mode LEGACY
Secure boot state OFF
and you are not getting the security benefit of your UEFI when it runs in Legacy mode.
mbk1969
Senior Member
Posts: 13708
Joined: 2013-01-17
Senior Member
Posts: 13708
Joined: 2013-01-17
#5033913 Posted on: 03/21/2015 05:56 PM
If you have injected kernel driver on target computer there is no need to do any more, and you can count such computer at your service.
I suspect that HW programmer can repair ruined BIOS.
We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again.
If you have injected kernel driver on target computer there is no need to do any more, and you can count such computer at your service.
I suspect that HW programmer can repair ruined BIOS.
Jahooba
Member
Posts: 25
Joined: 2013-10-02
Member
Posts: 25
Joined: 2013-10-02
#5033920 Posted on: 03/21/2015 06:19 PM
I just built a computer with a UEFI BIOS and I can understand why it's vulnerable, but the software does make it much easier to update. The motherboard I got (ASUS) came with some management software that downloads and patches the BIOS in seconds, automatically.
I guess the real problem is when ASUS move on and stop supporting that motherboard.
I just built a computer with a UEFI BIOS and I can understand why it's vulnerable, but the software does make it much easier to update. The motherboard I got (ASUS) came with some management software that downloads and patches the BIOS in seconds, automatically.
I guess the real problem is when ASUS move on and stop supporting that motherboard.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 815
Joined: 2014-02-23
Maybe now the MB manufacturers will stop saying that updating your BIOS is at your own risk. I try to keep my BIOS up to date but it can be a pain sometimes. I ended up having to flash my current board with the internet option because the USB method failed every time.