Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday August 23 2015, @04:45AM   Printer-friendly
from the chasing-your-Tails dept.

The Snowden leaks have taught us much about the tactics employed by the NSA and GCHQ, from brazen malware attacks to more esoteric dark arts, such as infecting low-level pieces of computer code. Correspondingly, research into more surreptitious activities targeting the guts of modern systems has often been overshadowed by studies of more obvious attacks. Yet such high-tech techniques pose a more severe risk. They can, for instance, allow agencies to spy on Tails, the Linux-based secure operating system favored by Snowden. And they're not as difficult to exercise as many would imagine. They can totally obliterate the privacy of even the most careful computer user.

That will be the message of Corey Kallenberg and Xeno Kovah when they present research on easy-to-find BIOS-level vulnerabilities at the CanSecWest conference in Vancouver this week. BIOS firmware is the first software to run when a PC is switched on. It checks hardware and starts the load process for the operating system. Attackers who can get their code running at that level, usually installing a malware known as a rootkit, will be able to avoid most security detections systems, which tend to work at the operating system level, not below it. To get malicious tools running in the BIOS, however, the attacker will first have to hack their way to getting administrator privileges on a PC, through something like an Internet Explorer exploit, and then find some BIOS vulnerabilities to hack away at. The first part happens across the web every day, but the second part, the so-called "post-exploitation" phase, is considered the domain of highly-sophisticated hackers, such as the NSA or GCHQ, and extremely tricky to pull off.

But Kallenberg and Kovah have created a tool that automates the identification and exploitation of BIOS bugs, a number of which they will detail at CanSecWest. Using their own bespoke malware, they have repeatedly been able to gain access to System Management Mode (SMM), a part of the computer used by firmware that's entirely separate from other processes, but can read everything going through a machine's memory.

"Once the payload is delivered, we have an agent running in SMM," said Kallenberg during a demo session with FORBES. "The thing about SMM is that it runs independent of the operating system, the operating system has no visibility into system management mode, it's a protected region that can't be read or written by the OS – Tails can't read or write to it – but it has access to all of memory."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by VortexCortex on Sunday August 23 2015, @07:22AM

    by VortexCortex (4067) on Sunday August 23 2015, @07:22AM (#226590)

    Sooooo, AFTER the system has been rootkitted, the system can be further exploited? Yeah, no shit. What OS Snowden favors means jack shit if we're talking about post-rootkit level exploitation. Hell, they could go after The bootloader, replace the kernel, get into the SSD's firmware even upgrade you to Windows 10 at that point -- all bets are already off. The headline could read instead: "Stealing Secrets from Your Grandmother's Favorite OS" and be just as accurate. For the record, my granny likes Ubuntu -- she thinks that is "African" for "Windows" and is glad to support 3rd world nations by using this "limited edition" of Windows 9 (A joke between my girlfriend and I has gotten out of control, and is just as "on topic" as the "Snowden" buzzword in TFS).

    It's pretty sickening seeing what these security conferences have become. Buzzword compliant marketing scaremongering.

    Furthermore, their system is NOT even close to the high grade NSA level stuff. The infected systems I've reverse engineered try to do some pretty cool disappearing acts, completely restoring the infected BIOS and erasing their tracks if they detect reverse engineering -- in some cases just pulling the plug on the Internet connection triggers their ghosting. The state level stuff tries hard not to be detected. This crap they're presenting is still entry level BIOS cracking, IMO. The trick to catching such BIOS bullshit is to setup a honeypot that actually fingerprints as some other device you actually have, and in this honeypot VM also use a firmware image cloned from said device (you can do this with a slightly modded QEMU), so that it's actually exploitable too. So, hows that for "Voodoo", bitches? Their firmware detection code is the weakness. The dumb skiddies only infected a few VMs and simultaneously gave me their exploits to play with. What doesn't root me makes me stronger.

    You don't even have to fully emulate a different device, if you just make it fingerprint as something else then their exploits won't work. This is similar to how crappy websites (and exploits) wouldn't work if you changed the browser's navigator string. I first began this cat and mouse game over a decade ago when I noticed my polyfilling x-platform.js broke exploits' browser ID via feature detection (drop my code in and it made IE actually support standards, and so the exploits thought it was Firefox when combined with modified navigator strings).

    In other words: When your BIOS exploit tries to ID my custom firmware (see: Coreboot) I will lie about its identity and you will set off my alarms: Game over. Your scanner believes what I want it to believe. You've just reached another level of control. What noobs, it's like they've never seen The Matrix.

    Starting Score:    1  point
    Moderation   +4  
       Interesting=3, Funny=1, Total=4
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Sunday August 23 2015, @08:14AM

    by Anonymous Coward on Sunday August 23 2015, @08:14AM (#226602)

    "What OS Snowden favors means jack shit if we're talking about post-rootkit level exploitation"

    What the article was pointing out was that even an OS setup to be more secure like TAILS can succumb to serious faults. Not everything is written by/for the government/military and is often dumbed down to explain it better to everyday users and those who may feel invincible by using TAILS.

    Your post is interesting, but you don't have to use such a 'tone' to get your point across. This isn't Vice City.

  • (Score: 1, Insightful) by Anonymous Coward on Sunday August 23 2015, @09:29AM

    by Anonymous Coward on Sunday August 23 2015, @09:29AM (#226624)

    Somewhat agree. The usb, the pci and xpci interfaces are wide open for god knows what kind of "option roms" or whatever those things are called.
    And dont get me started on listening to sounds and em noise of computers.

    Im inclined to believe, that even without all deliberate... weakening of the security of the hardware layer, the sheer amount of different components, and different ways they can communicate creates a situation where any access to the system of any kind has potential to compromise any other part of the system eventually, with enough skullsweat.

    One has to accept, that with a rich and well-connected enough attacker, theres not much one can do to even detect the attack.
    The garbage we use for hardware, is not possible to make secure.

    • (Score: 3, Funny) by c0lo on Sunday August 23 2015, @11:41AM

      by c0lo (156) Subscriber Badge on Sunday August 23 2015, @11:41AM (#226640) Journal

      And dont get me started on listening to sounds and em noise of computers.

      What do you think the tin foil is for? Your hat only?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford