So recently, I read about
how two researchers were able to hack into the BIOS firmware of a computer, a
feat that everyone previously thought was only possible if you were the NSA or
some other heavily funded government organization.
I actually wrote about
this topic maybe a month ago and I am surprised to hear about BIOS hacking so
soon after my other related blog post, especially when it isn’t being done by
the NSA. For anyone who is unfamiliar with what the BIOS firmware does, BIOS is
responsible for booting a computer and helps with loading the operating system.
Business Insider states that, “by infecting this core software, which operates
below antivirus and other security products and therefore is not usually
scanned by them, spies can plant malware that remains live and undetected even
if the computer’s operating system were wiped and re-installed.” In other
words, by infecting the computer’s low level BIOS firmware, the malware is
nearly undetectable by most antivirus software.
The researchers showed
how the hacking could be done by remote exploitation or through a physical
interaction. The two researchers discovered what they called “incursion
vulnerabilities,” which allows them to access the BIOS. The scary part is how once
the BIOS is broken into, a hacker can take control of the entire computer. As
these researchers demonstrated, hackers can exploit their newfound power to
steal passwords and surveil and steal other data. One can imagine how greatly
the NSA must benefit from this kind of spying technique.
It was discovered that out
of 10,000 enterprise-grade machines, 80% of them has at least one BIOS
vulnerability. These machines include PC’s from Dell, Lenovo, and HP. As a
Stevens student who was given an HP laptop upon entering the school, this is
even more thrilling news to my ears (I hope everyone can sense my sarcasm
dripping from that sentence). As if 80% of machines being vulnerable weren’t
enough, here is another great discovery made by these two researchers.
Apparently, the incursion vulnerabilities were so easy to find that they wrote
a script to automate the process of finding them and eventually stopped counting
because of how many were found.
I’m sure the NSA loves
this statistic, but now that two researchers were able to gain access to
machines using BIOS vulnerabilities, it can’t be long before hackers from
Anonymous, government agencies, or other hackers discover this technique and
take advantage of it to further harass, pilfer data, and infect corporate,
government, and everyday machines.
Still, I haven’t even
mentioned the worst part about what BIOS hacking would allow. Once the BIOS is
compromised, all the data in that computer is accessible. Despite some people’s
attempts to keep their computer’s information private by encrypting their data,
it still does not prevent this data from being accessed. The two researchers
actually used their BIOS malware to gain access to all the data on a computer
which uses the Tails system, an OS (operating system) known for its security.
Knowing that two
researchers were able to hack into the chips that run a computer at one of the
lowest levels, this opens up a discussion on how users, companies, and governments
can protect themselves from something that is so fundamental to the workings of
a computer. I hope companies that handle economic dealings such as credit card
companies and banks were among the 20% found to have no BIOS vulnerabilities. I
also hope that social security numbers aren’t stolen as easily as candy is from
a child. Like everyone else in the world, I would hate to find out that my
entire savings account and identity have both been stolen due to a significant
flaw in nearly every computer.
Now that it has become
public knowledge that it does not take inside chip manufacturer information to
hack the BIOS firmware of chips, I bet we will see a rise in interest from the
hacker communities around the world who are looking to exploit this
vulnerability. Hopefully the researcher’s goal of spreading awareness for how
critical firmware security is strikes a chord with chip manufacturers and
firmware developers so that we can all be saved from a larger headache in the
future when hackers have cracked the technique for themselves.
http://www.businessinsider.com/hackers-found-a-way-to-get-into-nearly-every-computer-2015-3
http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/
No comments:
Post a Comment