Story 2015-08-24 J92P 'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think

'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think

by
Anonymous Coward
in security on (#J92P)
Tor has its advocates, and it's certainly our best chance at ensuring a modicum of privacy online. But it's got vulnerabilities of its own.

One attack vector is through secure BIOS systems that can be rooted and then have access to everything a computer does, regardless of operating system.
Kallenberg and Kovah have created a tool that automates the identification and exploitation of BIOS bugs, a number of which they will detail at CanSecWest. Using their own bespoke malware, they have repeatedly been able to gain access to System Management Mode (SMM), a part of the computer used by firmware that’s entirely separate from other processes, but can read everything going through a machine’s memory.

“Once the payload is delivered, we have an agent running in SMM,” said Kallenberg during a demo session with FORBES. “The thing about SMM is that it runs independent of the operating system, the operating system has no visibility into system management mode, it’s a protected region that can’t be read or written by the OS – Tails can’t read or write to it – but it has access to all of memory.”
Check out the rest at 'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think.
Reply 7 comments

Not just TOR (Score: 1)

by zafiro17@pipedot.org on 2015-08-24 07:54 (#J951)

This is a somewhat misleading article by Forbes. It's poking holes in Tor, but it seems these vulnerabilities would affect anything at all. It's hard to protect yourself from an attack at the BIOS level, unless you swallow Microsoft's SecureBoot strategy, which a lot of us find distasteful.

FFS (Score: 0)

by Anonymous Coward on 2015-08-24 12:33 (#J9RT)

Can we go back to the days when the only way to modify the BIOS was pre-boot?!? Who ever thought that allowing an OS to modify the BIOS was ever a good idea?

Re: FFS (Score: 1)

by zafiro17@pipedot.org on 2015-08-24 13:12 (#J9VS)

Credit goes too, to groups like Intel, who have steadily increased the 'power' and 'utility' of the BIOS to the point where it is now a fun attack vector. All this 'management code' and such - I can't be specific because I scarecely understand it, myself - is frightening.

BIOS should check the hardware, hand things off to the boot loader, and then "peace out." Make any code complicated enough and begins to become a target; I think that's exactly what we've got here.

Re: FFS (Score: 1)

by billshooterofbul@pipedot.org on 2015-08-24 19:15 (#JAZD)

Well, ok, how do you then update the "bios"?

Re: FFS (Score: 1)

by zafiro17@pipedot.org on 2015-08-25 04:27 (#JC3B)

You have a point. But my ignorant response would be, "why would you ever need to update the BIOS on a machine when its role is reduced to something so simple?"

Re: FFS (Score: 1)

by evilviper@pipedot.org on 2015-08-24 21:05 (#JB8Z)

Credit goes too, to groups like Intel, who have steadily increased the 'power' and 'utility' of the BIOS to the point where it is now a fun attack vector.
Actually, the only thing that changed to make rootkits in firmware practical, is the size of the EEPROM. Back when your CMOS was 64K, there wasn't a lot of room to hide very advanced malicious code in there. Now that there's multiple megabytes to work with, there's plenty of room to store that code. You'd have these problems whether firmware got more advanced, or not. Even the simplest firmware can be modified to boot other (malicious) code first.

Requiring firmware to be cryptographically signed could solve the problem... as well as a jumper on the board that disables firmware updates. OEMs just need to be encouraged to care enough to do something... Right now, they don't.