This lower layer — the flashable firmware and processors running on dozens of components in today's computing devices — is already being exploited in proof-of-concept tests by a handful of security researchers. They say that we may not be seeing firmware used in attacks right now, but the day is coming when, after having shorn up today's holes on the application layer, that malware will be pushed to this lower layer.
John Heasman, director of research, Next Generation Security Software Ltd. (NGSSoftware), a U.K.-based software security outfit with U.S. headquarters in Tacoma, Wash., presented a proof-of-concept rootkit on a PCI card at Black Hat Federal in Washington, D.C. in 2007. At Black Hat in Las Vegas, also in 2007, he demonstrated a technique called “warm reboot attacks,” which uses RAM caching to survive a reboot without touching the hard disk or firmware (great for persistently hiding a rootkit that reinstalls each time the machine reboots). Then, he demonstrated how to modify the variables within the chip's RAM remotely — changing the advanced configuration and power interface (ACPI) tables, load drivers and security hooks.
“Imagine you're on your laptop, you go to a malicious site, it exploits a browser bug and installs a kernel component through a secondary vulnerability in a device driver,” he explains. “It can store things in an embedded controller's local memory, peek at things like main memory (where the operating system stores code and data), and even implement a keyboard logger that doesn't run on the main CPU, but on the keyboard firmware itself.”
While remote reflashing is already a common form of firmware system upgrade for auxiliary and internal components, the bar for flashing firmware through malicious websites and email is high at this time, say researchers. That's because automating such an attack is difficult due to system dependencies, and because the application layer is still so much easier to attack.
For example, you'd have to know the programmable firmware that you were targeting well enough to circumvent its authentication, install a trojan and know what features and functions to exploit, explains Kevin D. Kissell, principal architect, MIPS Technologies, Inc., a Mountain View, Calif.-based provider of processor architectures.
Tamper resistant chips
Emerging chip security models — like Trusted Computing Group's Trusted Platform Model (TPM) — make it more difficult to flash chips or make other security modifications without notice, say Heasman and Kissell. TPM does nothing to keep hackers out of a computer. Rather, it is a secure boot process that makes sure programmable resources haven't been tampered with.
To do this, TPM uses a hash value of key system resources, such as PCI card firmware, that is sealed behind a digital signature and stored on a secure location on the chip. These resources are measured pre-boot and compared to the stored values to ensure they have not been tampered with, explains Lori Wiggle, director of server technology marketing at Intel.
A TPM-measured resource is good protection against offline attacks. For example, someone can't come in at night, turn on the computer and reflash the firmware because the machine has to be turned on for it to work. That means it does not protect against online attacks targeting the operating system, which Heasman and other researchers say can then be elevated to change the checksum and reseal the value, thus passing TPM boot inspection without being identified by system security resources.
To accomplish this would require knowledge of BitLocker Drive Encryption (a full disk encryption feature bundled into Microsoft's operating systems), and other future third-party encryption applications. So Heasman and others believe that attackers will first turn their attention to firmware resources that aren't measured by the TPM — of which there can be dozens inside a single computer, many with their own processors.
“You'd be surprised how many components in a modern PC have firmware you can update remotely — DVD drivers, graphic cards, network cards, hard drive controllers,” Heasman explains. “Even the smart battery in laptops can be remotely reflashed. So hypothetically you could program a laptop to dangerously exceed its operating temperatures.”
Many of these components, with their own proprietary interfaces for reflashing firmware, don't require authentication, he continues. Since the operating system relies on the component to tell if it's functioning normally, there's no way for your system security to know otherwise.
Years to prepare
Retrofitting all these flash-programmable devices with TPM-measured or other security-enabled processors isn't financially or physically scaleable. Nor is it possible until manufacturers make security-measured processors available to all types of firmware applications and embed them across our information systems. Unfortunately, once they are widely embedded, it will be many more years before the majority of old systems are swapped out and replaced.
With BIOS-level rootkits already old news, and with a handful of researchers like Heasman opening up firmware exploits, it may already be too late.
“In the case of smart card chips, there are Mafia and terrorists trying to crack the security algorithms to get to the card data,” Kissell says. “They have labs in which they minutely modulate the voltage going in, strip off the layers of protection on the chip, and watch it under an electron microscope to see what's signaling. This is something to be concerned about.”
Deb Radcliff is a freelance writer and VP of publishing for The Security Consortium, www.thesecurityconsortium.net.
Things hackers do
Hide toolkits and rootkits to reinfect machine every time it turns on;
Bypass security like keystroke logger detection by embedding directly on the keyboard controller firmware;
Overheat a CPU remotely.