New UEFI Rootkit

[Flash]

New UEFI Rootkit

[2022.07.28] Kaspersky is reporting on a new UEFI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article:

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Both links have lots of technical details; the second contains a list of previously discovered UEFI rootkits. Also relevant are the NSA’s capabilities—now a decade old—in this area.

[wizard]

Not good news there. Makes me glad I'm still using legacy bios on all my computers. The thing missing is how the rootkit can be injected into a system.

Thanks
wizard

[wiak]

Not good news there. Makes me glad I'm still using legacy bios on all my computers. The thing missing is how the rootkit can be injected into a system.

Thanks
wizard

Yes, alarming. I just hope physical access to the machine is required or these newer (expensive) machines risk becoming 'bricks' later. That's the trouble with system designs that involve complexity - the very complexity that is trying to provide security is what makes it so dangerous - more places for bad code to hide and attack. Keep it simple and allow us just to easily clean everything out and rebuild when the worst ever happens - UEFI firmware and TPM and so on make easy clean/fix approach impossibility the way things are going. Built in redundancy like some inkjet printers and some older Apple phones that refuse to work after a certain length of use. Should be illegal (with heavy financial penalties to manufacturers) to sell anything that cannot be easily reset to relatively reliable working state - even nuclear power stations in danger of being hacked the way such control systems are designed (and connected to the Internet for remote control...) - crazy really.

Open source is supposed to be 'safer' since anyone can read the code, but the more complex it becomes the more difficult it is to read even for the few experts able to read it... and that firmware stuff is pretty much inaccessible or near to that for all but a tiny minority (at best). Certainly, there is no 'easy answer' overall - if simple includes huge 'holes' that are easy to invade and corrupt then that is no good to anyone - but over complexity seems likely to provide many very hidden attack surfaces that could end up impossible to protect or even fix later. If 'super-secure' UEFI business type computers become the main target then the rest of us normal users would be better without that UEFI 'protection' (similar, at a higher software level, to why it is 'safer' to drop Microsoft and use Linux for your desktop really).

[misko_2083]

They are not sure how the malware is deployed. Perhaps through a second-hand reseller.
It's interesting how these backdoors are discovered only after a decade or more.
Then a new solution appears market with even more undiscovered holes.

I'm not sure what's the status of that LinuxBoot that runs Linux firmware instead of proprietary UEFI.

[mikeslr]

The problem with putting all your eggs in one basket is that basket will be the focus of everyone who wants to steal eggs.

On the old forum I reported --with citation of source-- that at the Computer Expo which took place shortly after 'Microsoft' insisted that to receive its certification manufacturers had to use UEFI, IIRC, 'White-hats' demonstrated compromising UEFI in 15 minutes.

UEFI has nothing to do with 'Security': it had everything to do with maintaining a near monopoly as to which operating systems could be run on computers. And as Puppy via first FatDog, later LICK, FrugalPup-Installer and grub2config has shown, the accomplishment of even that objective was short-lived.

Here's a marketable --i.e, you can make money selling it-- project for someone technically inclined: Create an after-market, install-able under Windows, boot-manager with proprietary code which can replace UEFI and still boot Windows. Grub2 is not enough. But if there were several such boot-managers, all the eggs would not be in one basket.

[rcrsn51]

You are conflating UEFI with Secure Boot.

[wiak]

Secure boot is an optional extra layer of complexity that, from my point of view, makes the system more secure against linux kernels, modules, and other core boot components that haven't been signed by the big boys as 'safe' to use. Overall, otherwise, secure boot itself provides another avenue for system attack.

[Flash]

...It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code.

I have no idea how you'd connect to the SPI bus, but once that's been accomplished, Arduino & Serial Peripheral Interface (SPI) might provide a way to reprogram the UEFI flash storage chip.

[wiak]

...It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code.

I have no idea how you'd connect to the SPI bus, but once that's been accomplished, Arduino & Serial Peripheral Interface (SPI) might provide a way to reprogram the UEFI flash storage chip.

Except you'd likely need to unsolder the chip (at least if on a laptop), which no doubt nowadays has mega-multiple-pins and is surface mount soldered! But in theory you could no doubt re-flash it via some external flashing device assuming you could also thus side-load the clean code you wanted to re-write it with. For all but the tiniest minority of electronic engineer/technicians with sufficient knowledge and suitable tools/equipment this scenario is unlikely to happen. But, yes, if you could get away with clipping on to the chip (or where relevant) without desoldering you might be able to reprogram it by some method such as you suggest/describe.

There are technical notes re SPI of course: https://www.sentinelone.com/labs/moving ... -firmware/
https://superuser.com/questions/619197/ ... uefi-shell

EDIT: but this might be interesting - a UEFI repair youtube:

[misko_2083]

Except you'd likely need to unsolder the chip (at least if on a laptop), which no doubt nowadays has mega-multiple-pins and is surface mount soldered! But in theory you could no doubt re-flash it via some external flashing device assuming you could also thus side-load the clean code you wanted to re-write it with. For all but the tiniest minority of electronic engineer/technicians with sufficient knowledge and suitable tools/equipment this scenario is unlikely to happen. But, yes, if you could get away with clipping on to the chip (or where relevant) without desoldering you might be able to reprogram it by some method such as you suggest/describe.

People do solder those tiny pins.
But it need a microscope and more equipment.
Steady hands and patience above all.
I know some motherboard manufacturers provided tools to flash BIOS.
Some from windows, some from a USB stick.
It's so risky to flash because the failure of the power grid while writing new firmware makes the BIOS corrupt.

[Flash]

Soldering a new IC to a board is easy compared with getting the old one off and cleaning the lands without breaking them loose.

The way I've removed surface-mount ICs is to melt a blob of solder all along the pins on both sides, then heat the solder until it is molten on both sides. Done properly, the IC lifts off the board without damaging the lands and the IC can be reused if it turns out to be good. Then it's a matter of cleaning all that solder off the lands with solder wick. A destructive method is to use a sharp knife to cut the pins from the IC, then unsolder each pin individually. I don't use that method but I've known people who did.

An infrared heat gun or a hot air gun would work too but I've never had the opportunity to use one.

I found that I don't need a microscope to solder a surface-mount IC to a board.

[mikeslr]

You are conflating UEFI with Secure Boot.

Yes, you're right. Memory plays tricks, especially mine. . But not about the vulnerability UEFI creates which was quickly discovered. I found my post about it,
https://oldforum.puppylinux.com/viewtop ... 79#p859079. Read what the post quotes.

Strangely, the link to the post it cited no longer works. Maybe it was on a server employing UEFI and secure boot which was hacked? Maybe its been censored?

[misko_2083]

I found that I don't need a microscope to solder a surface-mount IC to a board.

It's easy for you, you got struck by the lightning and gained superpowers. We regular people need some special tools.

[rockedge]

A good friend of mine teaches this type of soldering for a defense contractor. They make parts for commercial and military aerospace.

[wiak]

A good friend of mine teaches this type of soldering for a defense contractor. They make parts for commercial and military aerospace.

I used to solder thousand of solder joints per day using a great old Weller soldering station. But now my eyesight is so bad, and I only have a cheap rubbish soldering iron now I struggle without magnifying tools and so on - a real pain. I see my dentist is now using lots of magnifying type glasses - I think I will change my dentist.