DecryptedTech

Saturday13 August 2022

More hacking fun with the UEFI BIOS


Reading time is around minutes.

Back in August of 2014 while covering DEFCON 22 we sat in on a talk about how insecure the UEFI BIOS was and how it could potentially grant a malicious person ring zero access to your system. The talk was given by Corey Kallenberg and Xeno Kovah and they showed just how easy it would be to plant non-removable malware into the UEFI BIOS as well as how easy it would be to kill the BIOS remotely by affecting only two lines of code in the BIOS.

Well Kovah and Kallenburg have not stopped with their talk at DEFCON. They have continued to do work on their UEFI BIOS hacking and have added even more to their repertoire. Now before you get into the comments about how the UEFI BIOS update process is secure due to the validation/verification process Kovah and Kallenburg showed that there is a way to get around this at DEFON 22.

Now they have refined this method and are showing how a new tool called LightEater can be used to “infect” vulnerable systems within minutes. This type of attack would not even take a sophisticated user. As most people in the security industry knows, the major players are often never directly involved in attacks. They either rent time one a network that can push out malware, or they have minions do a lot of the actual dirty work. The ease of code insertion into the UEFI BIOS was and still is very scary. I watched this demo live at DEFCON 22 and this was on immature code. Now, moths later the tool is much more mature and has simplified the process even more.

Even with an BIOS that is not infected using the same tactics used during the DEFCON presentation you can have something as simple as a kernel mode driver write invalid information to the first instruction it reads off of the BIOS chip and you are done. The first two line of that code are critical for the system to boot up. Once they have been overwritten your nice new system will never boot again.

It is really that simple and motherboards from multiple vendors are vulnerable to this flaw. To add a cherry to the top of the malware cake, the majority of people never patch or update their system BIOS. Most do not even know that they need to much less how to get that started. This means that you can have all the antimalware software, appliances and policies you want and a threat actor can still get to you through the BIOS on your system. Hopefully this will raise more awareness of the need to protect the BIOS and for a new way to prompt users to update their BIOS when security holes are found and fixed.

Last modified on Friday, 21 January 2022 09:42

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.