Firmware Bugs – It’s The New “In” Thing

Wired wrote a piece about an attack that some researchers presented at Blackhat that represents an interesting attack that we don’t have a good solution for.  Wired says:

“For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

So what did the researchers do?  They looked at the firmware (what we used to call the BIOS and now call the UEFI) and found out that on PCs (like HP and Lenovo, for example) that the firmware is not cryptographically signed so anyone who can get a program to run on the machine can replace the manufacturer’s firmware with their infected firmware.  Formatting the disk or even replacing the disk will not get rid of this kind of malware because the master copy of it does not live on the disk.

Then they said “I wonder if these same PC attacks would work on a Mac?” and the researchers say that 5 out of 6 attacks worked on Macs as well as PCs.

This is the kind of attack that intelligence agencies love because you cannot get rid of it and in fact, most people would not even be able to detect it.

The next question that they addressed is how do we get the malware into the Mac.  Besides the obvious answer of getting a user to click on something and exploit a flaw to get it installed, they came up with another answer that they say works.

The researchers created a worm they dubbed Thunderstrike 2.  This worm, only one of likely many possible ways to infect the device, uses something called the option ROM on many peripherals to hide the malware that infects the firmware.

You take a device that has an option ROM like a Thunderbolt Ethernet adapter and either infect it at the factory or sell infected used ones at places like eBay.

When the user plugs the device in, the malware is triggered and the firmware reflashed, all in seconds according to the article.

At that point, for most users, you take you Macbook out to the driveway and run over it with the car.  (Remember that this attack is not limited to Macs;  it is just what these authors tested and presented at Blackhat).

One “neat” thing about this is that if that infected device is moved between computers, it will infect whatever computer it gets connected to.  Granted the attackers can’t control what computers you plug that device into and when, but if they are patient, they could get to infect air gapped machines.

This is not a whole lot different than the “candy drop” technique of dropping infected USB flash drives outside the building of a company and waiting for just one person to plug it in out of curiosity and infect the company’s network.

The difference here is that the infection lives inside the firmware instead of on the disk.

Computer makers could solve this problem by signing their code and checking the signatures, but apparently, they don’t do that.

Caveat:  I am only reporting on what Wired said ;  I don’t have any first hand knowledge.  However, conceptually, this is no different than the disk drive firmware infection that was reported on earlier this year that was attributed to the NSA.

Definitely interesting times.


Information for this post came from Wired.

Leave a Reply

Your email address will not be published. Required fields are marked *