Jump to content

Easy-peasy BIOS flaw takes just two minutes to exploit


Recommended Posts

http://cdn.mos.techradar.com/art/TRBCNews/BIOS-screen-470-75.jpg

Two security researchers have discovered a flaw in millions of computer BIOSes that can be exploited by anyone regardless of their technical ability.

The attack takes just two minutes to carry out, LegbaCore research Xeno Kovah and Corey Kallenberg told The Register, and that the lack of BIOS patches that have been installed means that practically every BIOS out there is open to infection.

"The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments," Kovah said, ahead of a presentation they're giving at the CanSecWest gathering.

An unnerving precedent

Their presentation, entitled "How Many Million BIOSes Would You Like to Infect", will be given today and looks to discuss and highlight the dangers of BIOS attacks and in the process persuade system administrators to apply vendor patches, which is not being done.

The two showed how easy it is to use the LightEater implant running the Talis platform to pilfer GPG keys from memory through the BIOS on Gigabyte, Acer, MSI, HP and Asus. In this case it could be used to steal passwords and encrypted communications.

Kovah went on to explain that an unskilled attacker would only need two minutes of physical access to use LightEater to gain access to the target machine.

"We'll boot up the infected HP system and show how LightEater can use the Intel Serial Over Lan technology to exfiltrate data from SMM (System Management Mode), without needing a NIC-specific driver. And we'll show the uber1337 'rot13' encryption which will blind network defenders to what the SMM attacker is exfiltrating," he added.

Gigabyte most unsecure

Among the most unsecure BIOSes was Gigabyte's, where poor access controls meant that nothing was preventing attacks.

"So we didn't even have to do anything special. We just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again," Kovah said.

As part of the presentation, they will reveal details of an automated script that was given to vendors. It can detect dangerous attacks against SMM capable of reading and writing all to system memory and the two researchers will be hoping their presentation can change the attitudes of administrators and end users.

http://rss.feedsportal.com/c/669/f/415085/s/44959f7a/sc/4/mf.gif


http://da.feedsportal.com/r/223515178196/u/49/f/415085/c/669/s/44959f7a/sc/4/rc/1/rc.img
http://da.feedsportal.com/r/223515178196/u/49/f/415085/c/669/s/44959f7a/sc/4/rc/2/rc.img
http://da.feedsportal.com/r/223515178196/u/49/f/415085/c/669/s/44959f7a/sc/4/rc/3/rc.img

http://da.feedsportal.com/r/223515178196/u/49/f/415085/c/669/s/44959f7a/sc/4/a2.imghttp://pi.feedsportal.com/r/223515178196/u/49/f/415085/c/669/s/44959f7a/sc/4/a2t.imgOkYhOM734XE
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...