The Snowden leaks have taught us much about the tactics employed by the NSA and GCHQ, from brazen malware attacks to more esoteric dark arts, such as infecting low-level pieces of computer code. Correspondingly, research into more surreptitious activities targeting the guts of modern systems has often been overshadowed by studies of more obvious attacks. Yet such high-tech techniques pose a more severe risk. They can, for instance, allow agencies to spy on Tails, the Linux-based secure operating system favored by Snowden. And they're not as difficult to exercise as many would imagine. They can totally obliterate the privacy of even the most careful computer user.
That will be the message of Corey Kallenberg and Xeno Kovah when they present research on easy-to-find BIOS-level vulnerabilities at the CanSecWest conference in Vancouver this week. BIOS firmware is the first software to run when a PC is switched on. It checks hardware and starts the load process for the operating system. Attackers who can get their code running at that level, usually installing a malware known as a rootkit, will be able to avoid most security detections systems, which tend to work at the operating system level, not below it. To get malicious tools running in the BIOS, however, the attacker will first have to hack their way to getting administrator privileges on a PC, through something like an Internet Explorer exploit, and then find some BIOS vulnerabilities to hack away at. The first part happens across the web every day, but the second part, the so-called "post-exploitation" phase, is considered the domain of highly-sophisticated hackers, such as the NSA or GCHQ, and extremely tricky to pull off.
But Kallenberg and Kovah have created a tool that automates the identification and exploitation of BIOS bugs, a number of which they will detail at CanSecWest. Using their own bespoke malware, they have repeatedly been able to gain access to System Management Mode (SMM), a part of the computer used by firmware that's entirely separate from other processes, but can read everything going through a machine's memory.
"Once the payload is delivered, we have an agent running in SMM," said Kallenberg during a demo session with FORBES. "The thing about SMM is that it runs independent of the operating system, the operating system has no visibility into system management mode, it's a protected region that can't be read or written by the OS – Tails can't read or write to it – but it has access to all of memory."
(Score: 1, Insightful) by Anonymous Coward on Sunday August 23 2015, @09:29AM
Somewhat agree. The usb, the pci and xpci interfaces are wide open for god knows what kind of "option roms" or whatever those things are called.
And dont get me started on listening to sounds and em noise of computers.
Im inclined to believe, that even without all deliberate... weakening of the security of the hardware layer, the sheer amount of different components, and different ways they can communicate creates a situation where any access to the system of any kind has potential to compromise any other part of the system eventually, with enough skullsweat.
One has to accept, that with a rich and well-connected enough attacker, theres not much one can do to even detect the attack.
The garbage we use for hardware, is not possible to make secure.
(Score: 3, Funny) by c0lo on Sunday August 23 2015, @11:41AM
What do you think the tin foil is for? Your hat only?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford