Despite warnings, computers still vulnerable to hackers of start-up codes

SAN FRANCISCO Fri Aug 1, 2014 9:26pm EDT

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.  REUTERS/Kacper Pempel/Files

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.

Credit: Reuters/Kacper Pempel/Files

Related Topics

SAN FRANCISCO (Reuters) - A multi-year effort to prevent hackers from altering computers while they boot up has largely failed because of lax application of preventive steps, researchers say, despite disclosures that flaws are being exploited.

In the latest sign that the problem persists, researchers at the federally funded MITRE lab said this week that many customers of Intel Corp still had not adopted revised security designs Intel distributed in March after the MITRE team found new vulnerabilities in the start-up process.

That could mean many newer Windows computers remain exposed, the MITRE team told Reuters ahead of a presentation at the Black Hat security conference in Las Vegas next week.

Intel’s point person on the issue, Bruce Monroe, said he did not know how many suppliers and computer makers had followed Intel’s recommendations.

“We’re not privy to whether they’ve fixed it or not,” Monroe said. “We asked them to let us know.”

The stubborn glitches illustrates how such well-funded spying programs as those exposed by former National Security Agency contractor Edward Snowden can continue to succeed against targets that depend on a complex supply chain.

Long before Snowden’s documents began appearing the media, professional technicians and U.S. officials were concerned about the vulnerabilities that left computers severely exposed as they are turned on.

Years ago, then-U.S. National Security Agency Director Keith Alexander privately urged the chief executives of major American technology companies to do something about the boot-up procedure known as the Basic Input/Output System, or BIOS. BIOS relies on firmware, or permanent software that ships with computers.

Because the start-up code is given more authority than the operating system, hackers who break into that code can make major changes to programs and hide evidence of their presence. Lodging there also all but guarantees what the security industry calls persistence - the ability to remain inside even after a computer is turned off and rebooted.

Intel, Microsoft Corp and other companies promoted a successor system known as the Unified Extensible Firmware Interface that includes a feature called “secure boot,” which checks for digital signatures before running code. Microsoft’s Windows 8 operating system has embraced UEFI and secure boot, bringing the hardened approach to more than 60 million new computers.

Even as that rollout was accelerating, though, evidence accumulated that attacks similar to those theorized by researchers were actually under way.

In 2011, several research firms identified one such piece of malicious software, called Mebromi, that primarily attacked Chinese computers with a type of BIOS from leading supplier Phoenix Technologies Ltd [PHQUIP.UL].

Early last year, Reuters saw a catalogue from a U.S. defense contractor that included a product, offered at more than $100,000, for incapacitating target computers by attacking BIOS and other critical elements.

And in December, Der Spiegel reported that a leaked internal NSA catalogue described a tool called DeityBounce that attacked the BIOS of Dell Inc servers.

That came months after a presentation at last year’s Black Hat security conference in which MITRE researchers including Corey Kallenberg and Xeno Kovah broke into Dell’s boot-up process.

In a joint interview, Kallenberg and Kovah said that in the year since that talk, they had deployed sensors to about 10,000 computers to determine whether boot-ups were still vulnerable to that flaw or related issues. As of last month, 55 percent of them still were.

But the actual percentage of vulnerable machines in the world is even higher, because the MITRE group has not been checking for flaws stemming from the issues it found more recently with Intel’s old UEFI guidelines, which permitted an attack through memory corruption.

“That number is going to go up a lot,” Kovah said of the percent of affected computers.

Intel’s Monroe said that although his company, the BIOS makers and most of their customers were not used to distributing and installing fixes, improvements were coming, starting with a fledgling industry-wide incident response team led by Phoenix.

Kallenberg and Kovah said it would help if the National Institute of Standards and Technology moved beyond general warnings and provided links to verified fixes.

(Reporting by Joseph Menn; Editing by Ken Wills)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (1)
phalcon1 wrote:
I always knew that Flashable BIOS was a very bad idea. Sure, your common Saturday Afternoon Home PC User didn’t feel comfortable upgrading his BIOS in the old days. You had to jump through so many hoops: identifying the exact motherboard, the exact BIOS you were replacing, and that it had the fixes in it that you needed. Then you had to order the CHIP and wait for it to arrive, and then pull the old chip and replace it, hoping you didn’t zap either one (because you were too lazy to were a grounding strap). And, you could only do one at a time, instead of an entire company inventory. Flashable sounded ideal, but every time that we create something of convenience in the digital world, we open it up to hacking.
I remember my first flash update of a BIOS. It still wasn’t easy. After locating the exact file, and downloading it (over 12k baud modems), you had to copy the file to a floppy, then open the case of the PC and move a berg jumper to the FLASH position, then boot up with the floppy in the drive, and cross your fingers because if you made a mistake here, you couldn’t just put the old version back in.
As soon as they made this process much easier, I knew there would be trouble.

Aug 03, 2014 5:29pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.