Editor’s Note: NIST’s Draft Special Publication 800-147B “BIOS Protection Guidelines for Servers” is attached here. Comments are due September 14, 2012 and should be sent to: firstname.lastname@example.org. Below is a story that illustrates why BIOS protection is needed.
Proof-of-concept BIOS malware can hide in PCI firmware
By Paul Mah
Hardware on the motherboard, including the BIOS and PCI firmware of devices such as network cards or CD-ROMs, can be infected by malware. This was demonstrated by security researcher Jonathan Brossard at both the Black Hat security and Defcon hacking conferences last week.
Brossard created the proof-of-concept malware using open-source software that successfully compromised the BIOS and which left no traces on storage drives. While BIOS malware is hardly something new, his malware–called Rakshasa after a demon from the Hindu mythology–goes a step further by infecting other peripheral hardware to achieve an unprecedented level of persistency.
The root of the problem has to do with how current computer architecture gives every peripheral device equal access to the RAM via the system bus. As such, redundant copies of Rakshasa could theoretically corrupt the low-level motherboard firmware even after it has been replaced by a vendor-supplied one.
As reported by Network World, “The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge.”
The only silver lining here is how some motherboards and PCI devices incorporate a physical switch that needs to be toggled in order to flash a new firmware. Some BIOSs have digital signatures too, which make it harder to replace with a Trojan version.
Unfortunately, Brossard noted that the creation of hardware backdoors in that way is completely practical when done before a computer is delivered to the end-user. Personally, I think this may have ramifications for governments purchasing computers directly from sources that have the opportunity to plan backdoors by infecting the BIOS and attached peripherals.
For more: – check out this article at Network World