Easy-peasy BIOS flaw takes just two minutes to exploit

BIOS screen
BIOS screen

Two security researchers have discovered a flaw in millions of computer BIOSes that can be exploited by anyone regardless of their technical ability.

The attack takes just two minutes to carry out, LegbaCore research Xeno Kovah and Corey Kallenberg told The Register, and that the lack of BIOS patches that have been installed means that practically every BIOS out there is open to infection.

"The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments," Kovah said, ahead of a presentation they're giving at the CanSecWest gathering.

An unnerving precedent

Their presentation, entitled "How Many Million BIOSes Would You Like to Infect", will be given today and looks to discuss and highlight the dangers of BIOS attacks and in the process persuade system administrators to apply vendor patches, which is not being done.

The two showed how easy it is to use the LightEater implant running the Talis platform to pilfer GPG keys from memory through the BIOS on Gigabyte, Acer, MSI, HP and Asus. In this case it could be used to steal passwords and encrypted communications.

Kovah went on to explain that an unskilled attacker would only need two minutes of physical access to use LightEater to gain access to the target machine.

"We'll boot up the infected HP system and show how LightEater can use the Intel Serial Over Lan technology to exfiltrate data from SMM (System Management Mode), without needing a NIC-specific driver. And we'll show the uber1337 'rot13' encryption which will blind network defenders to what the SMM attacker is exfiltrating," he added.

Gigabyte most unsecure

Among the most unsecure BIOSes was Gigabyte's, where poor access controls meant that nothing was preventing attacks.

"So we didn't even have to do anything special. We just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again," Kovah said.

As part of the presentation, they will reveal details of an automated script that was given to vendors. It can detect dangerous attacks against SMM capable of reading and writing all to system memory and the two researchers will be hoping their presentation can change the attitudes of administrators and end users.