Security bug shows how BIOSes of most manufacturers are prone to infection

31417782_sBIOS or basic input/output system is the program used by a processor to get a computer to start up successfully. It is a small piece of software designed by the computer manufacturer that is mostly untouched and rarely modified. Although the BIOS is a difficult place for malware to get into, once embedded, the malware enjoys a seat of power and is very difficult to remove. There are very few well documented in the wild attacks involving the BIOS, which has lead to manufacturers being lousy with security updates. In fact, most never update their BIOS at all. This means there are a lot of vulnerabilities that could easily be exploited by cyber criminals.

A BIOS malware outbreak could result in millions of systems getting infected

At the CanSecWest security conference held recently, researchers from LegbaCore demonstrated how even unskilled people could hack into a BIOS within a short span of time. In a presentation entitled ‘How many million BIOSes would you like to infect?’ they explained how an implant called LightEater could cause a large scale BIOS infection due to lack of fixes and updates.

In the presentation, the researchers said:

“We showed how an unskilled attacker can infect a BIOS with an off-the-shelf Dediprog programmer by just pressing the start button, this was done against an HP system, from which LightEater subsequently used Intel Serial-Over-LAN to exfiltrate data over the network in a NIC-agnostic way. We also showed infecting an Asus system, with LightEater installing kernel-mode rootkit style hooks into Windows 10 preview, to get notified every time a process loads.

Many BIOS vulnerabilities discovered in the past have simply been overlooked by manufacturers, which means they are still present. Since the vulnerabilities are out in the open, such systems are sitting ducks for cyber criminals who are just willing to try. Most computer manufacturers are affected including Gigabyte, Acer, MSI, HP and Asus.

Infection can easily be automated and reproduced

Since most UEFI BIOSes use similar code, the infection procedure can easily be automated by malware writers. This makes BIOS malware versatile and easy to reproduce. By creating SMM (System Management Mode) implants, this malware can be easily tailored for various types of BIOS by using simple pattern matching techniques. The researchers:

“We provided data analysis evidence that indicated that UEFI systems are mostly homogenous as far as an attacker is concerned, and consequently thousands of BIOSes could easily be hooked for the insertion of implants in an automated fashion.

At the heart of LightEater is an x86 architecture vulnerability which basically arises from the fact that SMM’s can read/write everyone’s memory. This takes most security systems like virtualization and live CD’s out of the picture until a fix is applied. The good news is that some manufacturers like Dell and Lenovo have acknowledged this issue and are patching their systems, or at least promising to do so.

BIOS malware is incredibly hard to detect and remove but having an up to date anti-malware program can prevent your computer from getting infected in the first place.

Have a nice (malware-free) day!

  • Glenn McGrew II

    I’d really like to know which manufacturers are actually proven to be proactive about this already ancient issue. Do you know?

  • Владимир Крылов

    С UEFI очень не удобно и думаю, что если вирус попадёт туда, то его уже не удалить