The Snowden leaks have taught us much about the tactics employed by the NSA and GCHQ, from brazen malware attacks to more esoteric dark arts, such as infecting low-level pieces of computer code. Correspondingly, research into more surreptitious activities targeting the guts of modern systems has often been overshadowed by studies of more obvious attacks. Yet such high-tech techniques pose a more severe risk. They can, for instance, allow agencies to spy on Tails, the Linux-based secure operating system favored by Snowden. And they're not as difficult to exercise as many would imagine. They can totally obliterate the privacy of even the most careful computer user.
That will be the message of Corey Kallenberg and Xeno Kovah when they present research on easy-to-find BIOS-level vulnerabilities at the CanSecWest conference in Vancouver this week. BIOS firmware is the first software to run when a PC is switched on. It checks hardware and starts the load process for the operating system. Attackers who can get their code running at that level, usually installing a malware known as a rootkit, will be able to avoid most security detections systems, which tend to work at the operating system level, not below it. To get malicious tools running in the BIOS, however, the attacker will first have to hack their way to getting administrator privileges on a PC, through something like an Internet Explorer exploit, and then find some BIOS vulnerabilities to hack away at. The first part happens across the web every day, but the second part, the so-called "post-exploitation" phase, is considered the domain of highly-sophisticated hackers, such as the NSA or GCHQ, and extremely tricky to pull off.
But Kallenberg and Kovah have created a tool that automates the identification and exploitation of BIOS bugs, a number of which they will detail at CanSecWest. Using their own bespoke malware, they have repeatedly been able to gain access to System Management Mode (SMM), a part of the computer used by firmware that's entirely separate from other processes, but can read everything going through a machine's memory.
"Once the payload is delivered, we have an agent running in SMM," said Kallenberg during a demo session with FORBES. "The thing about SMM is that it runs independent of the operating system, the operating system has no visibility into system management mode, it's a protected region that can't be read or written by the OS – Tails can't read or write to it – but it has access to all of memory."
(Score: 3, Interesting) by dmc on Monday August 24 2015, @08:21AM
You do realize you failed to address the elephant in the room right? This isn't about innovating new security. This is about a coordinated disinformation campaign by the NSA to reduce security. A couple decades ago on PCs we had these little doohickies called "jumpers". Now, it was indeed a laughable user interface, as anyone who would dare crack their PC case to actually move a jumper was by definition a geek and social outcast. But they were there. And just about every mobo had a firmware flash write enable jumper, because like, the people who designed the system weren't retarded. They knew that remote root exploits were a part of the internet game, and it didn't make sense to allow something like that to introduce an Advanced Persistent Threat (seriously, historians can make sense of things by searching for that terminology, it has always been a euphamism for bios/firmware malicious modification. But the NSA kept the euphemism in place solely to prevent people from scratching their heads and realizing what a massive epic holocost-level fraud modern mainstream communications devices have been. No, the holocost hasn't happened yet. But someday someone just as bad as Trump will be holding onto the majority of the nukes, and surveillance paths that modern humanity has been stupid enough to build for him/her. God help us all.