BIOS Rootkit Attacks: What’s the Real Risk?

As I’ve written in previous articles, the frequency of malicious rootkit installations is increasing.  Now it seems that even the BIOS is a potential target.  John Heasman, principle security consultant for Next-Generation Security Software, announced this week that a collection of functions known as the Advanced Configuration and Power Interface (ACPI) could be used to deposit a rootkit in the BIOS in flash memory.  This is rather easy to do, said Heasman, because the ACPI has a high level programming language that’s easy to learn and easy to use.

When I read this story, which was covered on almost every security web site, I was initially concerned.  Who wouldn’t be?  The BIOS is the most fundmental layer of functionality in any PC.  But the more I thought about it, the more I wondered about how much risk a BIOS rootkit actually presents to a business network.  After some research, I concluded that the risk is very low for businesses that take normal precautions.

In this article, we’ll look at rootkit technology, how engineers or programmers flash the BIOS, the typical safeguards protecting BIOS access, and what you can do to protect your business from BIOS rootkit issues.

Rootkits appeared about 10 years ago.  Their initial purpose was to provide “back doors” into applications and systems, bypassing the normal security safeguards.  Many rootkits were installed by developers who wanted quick access to system internals, especially if the standard access methods failed.  But the one defining characteristic of rootkits was stealth.  They were invisible to users, system administrators, and to most malware detection tools.

Over the years, rootkit development and use took two paths.  The first path led to ethical uses.  Again, providing back door system management functionality as well as the ability to collect information for forensic or administrative purposes.  The second path led to malicious activities designed to surreptitiously acquire information with criminal intent.  Today’s rootkits can perform many functions, including

  1. keystroke logging
  2. interception of system calls, resulting in system behavior modified to suit the needs of the rootkit owner
  3. remote control of a system

Malicious rootkits are typically installed by exploiting a software vulnerability, either in the operating system or an application.  Although there was one well known successful application of rootkit technology to BIOS firmware in 1999 (CIH), rootkit infections of BIOS implementations have been largely ignored by the hacking community.  But with stronger system safeguards, attackers are looking for other avenues of entry into your computers.

So how can an attacker gain access to PC, server, and peripheral BIOS firmware? One way a to install a rootkit in BIOS firmware is through a user-initiated firmware upgrade.  Firmware upgrades are often necessary to correct problems with hardware operation or to add additional functionality.  In this scenario, the point of greatest vulnerability is retrieving the new firmware file.  It should be downloaded from the hardware vendor site or obtained from a reputable local hardware vendor.  This is the point at which it’s most probable that an infection will occur.  As with the CIH attack, the firmware may already contain a rootkit.  This is why it’s important to get it from a well-known and secure source.The other way infected firmware can be loaded into your hardware is through the actions of an attacker.  This normally requires physical access to the system to be compromised.  Why?  Because most hardware components are protected against changes to BIOS firmware with a jumper or a password.In the case of a jumper, the attacker would have to physically move the jumper to enable firmware flashing.  With most hardware, this requires not only physical access to the device, but also the opportunity for partial disassembly of the system in which the device is installed.  Standard physical controls should be sufficient to prevent this type of access.The effectiveness of firmware password safeguards depends on how you manage both administrative and physical processes.  If your engineers changed the password, the attacker may have to execute a series of steps to reset the BIOS security configuration to factory defaults.  This requires the same kind of access as that described for jumper manipulation.  However, once the factory defaults are restored, vendor passwords are easily obtained.  Again, standard physical access safeguards should be sufficient to prevent this type of access – especially if your engineers change the firmware password as part of all hardware installations.There are other ways to compromise the BIOS.  For example, overloading keyboard buffers is often one attack method that works on older systems.  And BIOS password cracking software exists and is available for download from the Internet.  But physical access is still necessary in many cases to enable firmware changes.  

Although firmware rootkit attacks should be considered when reviewing the effectiveness of your security program, I don’t believe you have to declare a state of emergency because of this week’s announcement.  A business that follows security best practices should be adequately protected from the kinds of access necessary to effect a firmware rootkit infection.  Probably the most important point to take away from reading this article is how critical it is for your engineers to be aware of the potential risks related to obtaining clean firmware.  Awareness is your first line of defense against BIOS rootkit attacks.

Author: Tom Olzak 

Resources:  RSS Feed for our Podcasts 


Researchers: Rootkits headed for BIOS

The Basics of Rootkits: Leave no Trace

BIOS Flashing and Hotflashing

How to Bypass BIOS Passwords

Your email:  
subscribe unsubscribe  




Leave a Reply

You must be logged in to post a comment.