back to article Hey kids, who wants to pwn a million BIOSes?

The overlooked task of patching PC BIOS and UEFI firmware vulnerabilities leaves corporations wide open to attack, a new paper by security researchers warns. Xeno Kovah and Corey Kallenberg argue that the poor state of low-level software security is among the easiest ways for hackers to deeply infiltrate organizations. A …

  1. Tromos

    Therein lies the problem.

    "They are just executables to be run through your patch management software like any other executable."

    Flashing a new BIOS has just become too simple especially compared with the early days when you had to program a new EPROM and replace it on the motherboard. Of course in those days it was due to the available hardware rather than a need for security.

    The advent of cheap flash memory has simplified updates to the point where they can occur without the user noticing anything untoward. The ability to flash needs to be restricted by a physical switch that the user has to place into 'maintenance' mode and then reset back to 'operation' mode. With both access and intent being necessary this is about as secure as things can get without being overcomplicated.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Therein lies the problem.

      Since the 4th generation Core processors, Intel has been adding hardware features to protect against these categories of exploits, with software support from at least the top two UEFI vendors. The 6th generation Core processors add even more hardware protection, to the point where hardware within the CPU can detect when the SPI flash boot device has been removed or replaced.

    3. Anonymous Coward
      Anonymous Coward

      Re: Therein lies the problem.

      "Almost no organizations in the world perform BIOS patch management"

      Well that's not true. Most I have worked with include some level of BIOS updates in their SCCM patching - particularly for laptops where functional changes and critical bug fixes seem to be more common, but often for desktops too...

  2. gerdesj Silver badge

    You think PC BIOSs are vulnerable?

    ILO, DRAC and Co: These are the real security nightmares. God only knows what they get up to when the computer room is quiet. They have the ability to say checkpoint a running system, grab the contents of RAM and then shuffle that off elsewhere. I'm not saying they do, but they could. All that without the OS or hypervisor knowing what's happening. The security model for IPMI is laughable as well.

    Remote access when a machine is buggered is handy and the monitoring is nice but they are a real problem for the properly tin foil hatted ones.

    Even hard discs have pretty butch CPUs, memory and a fair bit of firmware on board these days. I believe someone booted a Linux kernel on one for a scary PoC and a laugh.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: You think PC BIOSs are vulnerable?

        Does this mean that the PCI DSS should require that all decommissioned hard drives be physically destroyed, including their controllers?

      2. cantankerous swineherd

        Re: You think PC BIOSs are vulnerable?

        from cited article:

        "... trigger that behaviour first, though, and that could

        be done by writing a certain magic string the

        firmware hack would look for to the disk. The

        magic string can be in any file; the attacker could

        for example upload a .jpeg-file with the string in

        it to the server. He could also request a file from

        the webserver with the magic string appended to

        the URL"

        the hack was a nice piece of work and it's implementation is laughably easy.

        edit: apologies for newlines, can't seem to make them go away :-(

    2. LDS Silver badge

      Re: You think PC BIOSs are vulnerable?

      Do you plug them on your main network? They should be only available on a separate "management" network with strict access policies and full auditing.

  3. Anonymous Coward
    Anonymous Coward

    If you're using IPMI/DRAC then it needs to be on a separate out-of-band management network, and on a separate physical port (those machines which share the IPMI port with the host NIC are evil)

  4. Alistair


    Am I crazy that I keep all the firmware data I can retrieve in the same DB as the software versions?

    I'll admit that some of the proprietary hardware cards in the HPUX and SunOracle world can be cranky to catalog -- but it *can* be done.

  5. DropBear

    O RLY?

    "We have overseen the updating of thousands of BIOSes, with not a single failure"

    What the hell are these clowns smoking?!? Sure, if you have some version of "dual BIOS" or somesuch it IS a lot safer, but plenty of older motherboards don't - are they really insinuating nobody could possibly need to futz around with an EEPROM programmer and a removed BIOS chip thanks to a fortuitous power cut anymore just because it never happened to them...? Saying "most likely youl'll be just fine" is one thing - but this...

    1. razorfishsl

      Re: O RLY?

      Yep that is complete bolox,

      You will find that they have clearly defined "failure" in their updating procedure.

      Possibly along the lines of " failure is when the device under update explodes"

      In which case I have also NEVER failed in updating firmware.

      For a fun afternoon, take a look at the Chinese abortion of h3c, they make updating as absolutely criptic as the possibly can.

      They won't give a step by step procedure, incase you mess it up and sue them.

    2. Evil Auditor

      Re: O RLY?

      DropBear, I couldn't agree more. My hair stood on end when I read this crap. What they say sounds like what a junior trainee IT muppet would say - and like a recipe for failure.

    3. LDS Silver badge

      Re: O RLY?

      How old your motherboards are?? The oldest one I'm still using is an Intel circa 2005, and it does already have a backup BIOS.

      Heck, my latest ASUS board can even update the BIOS without the main CPU, from an USB stick...

    4. Michael Wojcik Silver badge

      Re: O RLY?

      Indeed. One of the first things I did with my Lenovo Thinkpad L512 when it first arrived, I think four years ago, was pull updates from Lenovo. One was a BIOS update. Their installer hung and bricked the motherboard. Had to send the machine back and have it replaced under warranty.

      That's a recent, stock-configuration laptop from a major manufacturer.

      I haven't tried updating the BIOS on that machine since. (None of the fixes mentioned in the release notes for subsequent updates looked particularly compelling.)

      I've flashed a couple dozen BIOSes over the years, mostly on Thinkpads. That was the first failure. But it only takes one.

  6. This post has been deleted by its author

  7. Speltier

    Hard TPM

    If you can trust it. Once BIOS is rooted, can you trust anything emitted by the box?

    Maybe, if you can install the TPM in a tamper resistant enclosure with traceable certificates at build time that can be used to establish a secure channel for query. Otherwise the box can just lie through its proverbial teeth.

    1. Christian Berger

      Re: Hard TPM

      Well with TPM the problem is that the likely attacker already is inside the TPM. After all it's extremely likely that governments will demand back doors, and current TPMs actually allow you to have a "second key" to access your encrypted harddisk.

  8. Christian Berger

    In a nutshell...

    it all boils down to the simple rule, "you cannot contain malware on a computer".

    If you can run malware it is likely do be able to do anything. Our safeguards are just additional boundaries to make the job a bit harder, which is a good idea, but we shouldn't rely on it.

    Unfortunately, recent developments have increased the problem. Systems have gone even more complex than they used to be, greatly increasing the chance of some remote code execution bug which might introduce malware into your system. Javascript may be comparatively easy to sandbox, however it's getting more and more common and browsers do not even enforce a single domain policy.

    Plus there are some stupid ideas like UEFI creating hugely complex systems which are easy to be corrupted by malware, but hard to be replaced with something simple by the user.

  9. cantankerous swineherd

    computers are devices for watching cat videos archived on the internet. on no account should they be used for anything serious.

  10. Len

    How about making it part of OS updates?

    OS X updates regularly contain patches to the UEFI which are just flashed on reboot. Couldn't there be a way for WindowsUpdate and the update systems of the various Linux distros to do something similar?

    1. Mage Silver badge

      Re: How about making it part of OS updates?

      Sounds like an infection route!

      We need to go back to physical write-enable link on the Mobo.

      1. Crazy Operations Guy

        Re: " physical write-enable link on the Mobo."

        I"d think that a simple setting in the setup utility would work. Allow updates to be written to a purely-storage section of the UEFI chip and then when you reboot, and option would appear in the setup utility and would ask whether you want to apply the update or not.

    2. Disko

      Re: How about making it part of OS updates?

      shhhhhh let them figure it out for themselves, they need the learning experience...

    3. John Brown (no body) Silver badge

      Re: How about making it part of OS updates?

      "OS X updates regularly contain patches to the UEFI which are just flashed on reboot. Couldn't there be a way for WindowsUpdate and the update systems of the various Linux distros to do something similar?"

      Apple are installing updates to a known hardware base which they happen to control. I'm not sure how safe a firmware update from Windows or some Linux would be on some random motherboard that MS may have not heard of but "looks like" a known model, eg a Chinese rip off board, or who to blame if the it bricks the computer.

      It's not as if Windows updates have never caused some users major problems because it's hard to test for all eventualities and software combinations.

    4. Sandtitz Silver badge

      Re: How about making it part of OS updates? @Len

      Apple can update the firmware components since they control the Mac hardware.

      Windows Update in fact does update the UEFI - as long as the computer is a Surface.

      It would be great if Windows Update or APT would upgrade the UEFI and other firmware as well but that seems unlikely since the method of firmware version detection differ from device to device and sometimes you need to do updates in stages or sometimes you need to visually check the board revision etc.

    5. LDS Silver badge

      Re: How about making it part of OS updates?

      Apple has a fairly "standard" hardware to support, because it designs it itself. Windows and Linux runs on too many system, and without some form of standardization, it would be a nightmare to support them all.

  11. Primus Secundus Tertius

    Firmware or crapware?

    I guess that firmware updates are the responsibility of the computer maker, rather than Microsoft, and would rely on the manufacturer's "value added" software being present.

    Unfortunately, new machines come with so much crapware that the first thing a careful owner does is a clean install minus all the crapware.

  12. Herby


    It used to be that the BIOS just had some routines that you didn't use and read the first sector from secondary storage. The original PC had BASIC in there as well. Things are a bit more (unnecessarily in my opinion) complicated these days with the UEFI craze and more. If the BIOS were simple enough you wouldn't need to update it when Microsoft commands you.

    Maybe the solution is to throw out all the cruft and go back to basics (sorry). Have the BIOS read the first record from secondary storage and check for the keyboard. If necessary save some parameters like which secondary storage device to get the "first record" and what to display on the "flash screen". Not much else is used when you boot a Linux system anyway.

  13. Anonymous Coward
    Anonymous Coward

    The BIOS should be on ROM. The OS on sensitive computers should be on ROM. These are things people knew when ZX Spectrum's ruled the earth. Can you not remember?

    I guess if you want any security these days you should do your own microprocessor system.

    1. Sandtitz Silver badge

      "The BIOS should be on ROM. The OS on sensitive computers should be on ROM. These are things people knew when ZX Spectrum's ruled the earth. Can you not remember?"

      We sure do; every(?) home computer had their bugs either in their Basic implementation or some quirks in (usually) the video registers. The difference was that you had to code around these bugs or sometimes actually utilize them for a neat visual trick or something.

  14. Anonymous Coward
    Anonymous Coward

    Don't blame the end-user organisations, blame the OEMs

    It peeves me greatly when I buy a new-in-box, current-model device, and find the last firmware upgrade a good number of months in the past with bugger all during the useful life of the device.

    1. LDS Silver badge

      Re: Don't blame the end-user organisations, blame the OEMs

      Often depends on the hardware type - I went through a run of firmware updates last month on my Dell servers (preparing for the Windows 2003 demise...), and there were a fair number of recent BIOS updates even for older servers. Workstations (we use several Precision models) don't have the same level of support.

      One issue with firmware management it's not all OS are usually supported - for example on Dell patching from OS is available for Windows and supported Linux distro like RedHat and SuSE, but if you need to patch VM servers, or others running Debian/Ubuntu or the like, you need to rely on its Lifecycle Management platform, or patch from a bootable USB stick or the like. The former is scriptable, but it's still a proprietary platform, if you have a mix of different brands it starts to become more complex than it should be.

  15. Anonymous Coward
    Anonymous Coward

    The ultimate solution

    Bring back the write protect jumper on ALL motherboards without exception.

    If you cannot afford this, then maybe you shouldn't be manufacturing motherboards to begin with!

  16. Nick 6

    And the burnt-in spyware ?

    Let's not forget the spyware - ahem sorry I mean security management facilities - burnt into most BIOSes. Yes the ones which can install their software into the guest OS, so that it can report back to the mothership and/or be remote wiped. I'm talking of course about Computrace. But there are others who have tried to join the market.

    I can see the point of these - a bit like iLO and DRAC - but they are internet facing clients which in every other circumstances would be judged as infected bots.

  17. Maelstorm Bronze badge

    Then you have the other issue with motherboard manufacturers. (cough)Giga(cough)byte(cough) actually discourages BIOS updates. The manual states:

    "Since a BIOS update is an inherently risky procedure, it should not be done unless you are experiencing a bug. If you are not, then it should not be done."

    So, what's a user to do when the mobo manufacturer makes a statement like that? Myself, I tend to ignore it. But the dual BIOS setup is nice as there is a backup BIOS that will reflash the main BIOS to get the system up and running on a failed or corrupt BIOS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022