Automating remote BIOS attacks


#1

[Permalink]


#2

Will that mean that someone could write a virus that installs a new operating system on a Windows 10 computer?


#3

This is good information to put out there, but I’d be more interested in how to tell if my BIOS has already been compromised. Knowing how to fix it seems less important than knowing whether or not I can trust it.


#4

The virus can do it, but you can’t, because Win10 won’t let you.


#5

The photo shows a clip with probes on a SOIC8 chip. My guess is that it is a serial flash with the BIOS. With such level of access you can read the chip byte by byte, sector by sector, using a trusted external device, and keep a known-good image (or even just a hash).

Todo: look how the cutting edge motherboards are doing it. I had quite firm grip on this in the age of socketed parallel flash chips and AMI/Award BIOS, but then the tech moved on when I did not pay attention.


#6

“When you looked away for 15 seconds.”


#7

Haven’t read TFA yet, but can one just re-flash the bios before each boot? or would that process be corrupted by the rogue bios? e.g a fake successful flash notice.

Edit: no info in TFA


#8

Would have to be done by hardware; a compromised BIOS could interfere with the flashing if done via the computer.

OTOH, if the BIOS is in the SOIC8 chip, we can just wire it as read-only with a switch.


#9

From where would you source this re-flash?
The compromised system you just booted, perhaps?
How you gonna re-flash without a running system, of some sort?

Maybe, if you have the little gadget in the picture. Just open 'r up and reflash at hardware level. Be kinda tedious though, every time you boot.


#10

So, “might as well give up and jump off a bridge” is the message I get from the succession of stories like this.


#11

[paranoia intensifies]


#12

If only there was some sort of module that would mean that PCs would only boot verified OSes that match a checksum … we could call it TPM


#13

On my ultrabook (Lenovo model, current as of last year), the memory for the UEFI is still in a plain old SOIC8 flash memory, programmable via SPI, but the chip cannot be read or written without removing it from the board. Which is quite hard to do if you don’t have a rework station.


#14

You’ve got it backwards. This security issue is about whether the BIOS allows itself to be modified by the OS, not vice versa.


#15

With a bit of practice you can lift pin by pin using a steel needle and a regular the microelectronics-grade, not the roof-sheeting grade) soldering iron. But try it first on scrap boards. It is easy to lift a pad together with the pin, especially when you overheat the board. Which the lead-less RoHS crap made easier because of higher melting points.

(Tip: if the alloy does not contain bismuth, which happens rarely, you can add a blob of the good lead-containing stuff. It will mix with the tin-only one and the melting point goes quite down. If it does contain bismuth, it forms very low melting phases of bismuth-lead (think Wood’s metal) and may drop off the board if it heats up later. Which may not be much of an issue for low-power logic on cold part of the board.)

This way you can even selectively pull just some of the pins, and hook the wires onto them.

But practice on something lower-value than a new laptop. There should be quite some old decommissioned ones out there; hoard some and have fun. :smiley: Over long time, the experience gained that way will pay handsomely for the time spent on it.


#16

That sounds like a great approach. I did indeed have problems with the pad coming up, and ruined a board that way. But in that case it was because I was trying to cut the pins off, and the mechanical stress that that caused. I got the IC replaced one time, but my BIOS patch was messed up so I had to do it again, and on the second attempt the pads just got too screwed up.


#17

You need a desoldering work station. Just looked on fleabay and they have 'em for about $225. I don’t know anything about the different brands and features, but they will generally have a handpiece that blows hot air, or fits on the chip like a heat sink (but is a heat source), and melts all the solder on that chip. Precision temp settings for RoHS and good ole 60/40.
As long as the chip’s pins or contacts are around the edges (not a BGA), you can generally resolder the part pretty easily too. As delicate as boards are these days, it’s probably not a bad idea to remove the part from the board merely to cut or bend a pin, then reattach it. Just to avoid pulling up any pads.


#18

Goodbye EEPROM, hello ROM.


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.