UEFI: Protective Agent or Attack Vector
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
UEFI: Protective Agent or Attack Vector
recent story about the Hacking Team and UEFI as an attack vector
"hacking" I suppose would be the best way to make a path through the briar bushes,...... tee hee,--
however one really should install a gate at either end to the path,---- um, yeah, how about an access list?
if there is anything that is clear in this whole security debauch it is that any mechanism developed for any purpose will be analyzed to determine if it can be re-purposed . as we were taught in the U.S. Army: consider the possibilities available to the enemy; do not waste time trying to guess what he will do.
"hacking" I suppose would be the best way to make a path through the briar bushes,...... tee hee,--
however one really should install a gate at either end to the path,---- um, yeah, how about an access list?
if there is anything that is clear in this whole security debauch it is that any mechanism developed for any purpose will be analyzed to determine if it can be re-purposed . as we were taught in the U.S. Army: consider the possibilities available to the enemy; do not waste time trying to guess what he will do.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
¡Viva la Resistencia!
Re: UEFI: Protective Agent or Attack Vector
It never ends does it? I just read yesterday that Red Star Linux was found to contain spyware too.
Edit: Corrected the name of the distro.
Edit: Corrected the name of the distro.
Last edited by exploder on Tue Jul 21, 2015 8:47 pm, edited 1 time in total.
Re: UEFI: Protective Agent or Attack Vector
Hang on. A hacker hacked Hacking Team ?! This is funnier than Silicon Valley ...
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: UEFI: Protective Agent or Attack Vector
I'm with exploder. It never does end... <Sighs in exaustion>
The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?
The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?
- Pjotr
- Level 24
- Posts: 20086
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: UEFI: Protective Agent or Attack Vector
Quite so.Fred Barclay wrote:The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?
See the last line of my signature....
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
- tdockery97
- Level 14
- Posts: 5058
- Joined: Sun Jan 10, 2010 8:54 am
- Location: Mt. Angel, Oregon
Re: UEFI: Protective Agent or Attack Vector
I'd probably trip over it.Fred Barclay wrote:The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?
Mint Cinnamon 20.1
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: UEFI: Protective Agent or Attack Vector
Yeah, that's actually one of my favourite sigs.Pjotr wrote: Quite so.
See the last line of my signature....
Re: UEFI: Protective Agent or Attack Vector
Here is the article on Red Star Linux, got the name wrong earlier...
http://www.theregister.co.uk/2015/07/20 ... t_tracker/
Just shows this kind of thing is going on everywhere....
http://www.theregister.co.uk/2015/07/20 ... t_tracker/
Just shows this kind of thing is going on everywhere....
Re: UEFI: Protective Agent or Attack Vector
Two points:
- From the article: "A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer." With physical access, no computer is secure. I don't care if it's got an absolutely flawless firmware, boot loader, OS, and applications; with physical access, an attacker can re-write all of those to be something else. (Encrypting all of them would help, but would not be a 100% guarantee of safety.) Remote firmware updates (as on many servers today) could make a remote attack like this possible, but only if the update mechanism itself and access to the computer contain security flaws.
- The attack involves modifying and re-writing the firmware. This can be done with BIOS, too, and there have been claims of such things in the past. It's a little easier to modify an EFI than a BIOS because the former is written in C whereas the latter is written in the (more obscure) 16-bit assembly language; but the principles of the attack are the same, so there's really nothing fundamentally new here.
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: UEFI: Protective Agent or Attack Vector
from the article
i need to do more research on this topic: apparently there is supposed to be an option in UEFI to require a password before a UEFI firmware update will be accepted. this would be a Good Thing, although it doesn't help with the question - what was in the UEFI whe I got it ?
also from the article:
( emphasis added )A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer, but remote installation can’t be ruled out, the Trend Micro researchers said.
i need to do more research on this topic: apparently there is supposed to be an option in UEFI to require a password before a UEFI firmware update will be accepted. this would be a Good Thing, although it doesn't help with the question - what was in the UEFI whe I got it ?
also from the article:
I'd just a soon replace my UEFI with an open source common BIOS linked to GRUB . I've had to do a couple computers with UEFI in them and so far I've been able to re-set them back to the traditional common BIOSTo prevent such infections, Trend Micro advises users to enable the UEFI
SecureFlash option, to set up a BIOS/UEFI password and to update the firmware to
its latest version so that it has the latest security patches. UEFI/BIOS updates
are usually distributed by computer manufacturers through their support websites
and some of them do fix issues identified by security researchers.
¡Viva la Resistencia!
Re: UEFI: Protective Agent or Attack Vector
That's really not surprising, that a linux distro maintained by the state of north korea would have spyware!exploder wrote:Here is the article on Red Star Linux, got the name wrong earlier...
http://www.theregister.co.uk/2015/07/20 ... t_tracker/
Just shows this kind of thing is going on everywhere....
Total shocker!
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: UEFI: Protective Agent or Attack Vector
My thoughts exactly!Chiefahol wrote:That's really not surprising, that a linux distro maintained by the state of north korea would have spyware!exploder wrote:Here is the article on Red Star Linux, got the name wrong earlier...
http://www.theregister.co.uk/2015/07/20 ... t_tracker/
Just shows this kind of thing is going on everywhere....
Total shocker!
Re: UEFI: Protective Agent or Attack Vector
I'm buying a new computer, probably a Shuttle XS35V4. How can I get a safe, adequate BIOS? What should I ask for?
Re: UEFI: Protective Agent or Attack Vector
If you've already narrowed it down to a specific model, you have very few choices, possibly aside from deciding whether or not to install any updates provided by the manufacturer. The main exception to this rule is that if you're experienced enough (or know somebody who is), you may be able to replace the standard firmware with Coreboot, which is an open source firmware. (There are also Coreboot payloads that turn it into either a BIOS or an EFI.)BASIC Bob wrote:I'm buying a new computer, probably a Shuttle XS35V4. How can I get a safe, adequate BIOS? What should I ask for?
If you're willing to reconsider your choice of motherboard, you can of course research the EFIs provided on various competing models. Note that I specified EFIs, because virtually all modern computers and motherboards ship with EFI (and especially UEFI, except for Macs) firmware, not BIOSes. (Many people use "BIOS" the way I use "firmware," but that's confusing in many contexts.) For security, you could read the article referenced by mike acker to see what EFIs are most vulnerable. (Answer: Insyde and possibly AMI EFIs -- but those two provide most of the EFIs in use today, so finding something else may be a challenge.) IMHO, though, avoiding a motherboard because of the referenced exploit is likely to be pointless. Not only is that exploit something that's so esoteric that it's not likely to be an issue for most people, but there are certain to be other exploits down the road. A better approach might be to figure out which manufacturers provide firmware updates for their computers over a relatively long period of time. If Company A provides updates for five years but Company B abandons their firmware updates after one year, Company A is more likely to provide you with security fixes down the road.
You can also use various firmware features to minimize risks. You can set a firmware password and use Secure Boot, for instance. Both of these features can protect against certain types of exploits, but of course neither is a 100% iron-clad guarantee against security problems. Remember that security is not absolute, it's relative. You can take steps to get a firmware that's safer than something else, but never one that's "safe" in any absolute sense.
Re: UEFI: Protective Agent or Attack Vector
Just get the PC.BASIC Bob wrote:I'm buying a new computer, probably a Shuttle XS35V4. How can I get a safe, adequate BIOS? What should I ask for?
Don't get fooled by media scaremongering. This is the gist of what the article actually confirmed:
This all but writes off chances of an actual 'attack' via this method.installing the UEFI rootkit requires physical access to the target computer [...] an attacker must reboot the system into the UEFI shell, extract the firmware, write the rootkit to the dumped image and then flash it back to the system
The possibility of installing rootkits into a computer’s BIOS or UEFI firmware has been demonstrated by multiple researchers at security conferences over the past several years. However, known cases of such rootkits being used in the wild are extremely rare.
Re: UEFI: Protective Agent or Attack Vector
Thanks very much. I'm open to any suggestions for hardware that's either fanless, or in the quietest 2% or so. The one I like so far, http://global.shuttle.com/products/prod ... uctId=1766 advises that custom firmware is available, and gives instructions for some sort of changes that give me hope as well, but I'd want full coaching to do that job myself. I'm having to guess at far too many words today. Would it be reasonable and safe to ask the vendor to do it?
What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA
What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA
Re: UEFI: Protective Agent or Attack Vector
I'll let others comment on that. No way I'm sacrificing 1.5h of my life to listen to some random college teacher.BASIC Bob wrote:What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA
EDIT: grammar
Re: UEFI: Protective Agent or Attack Vector
Like niowluka, I'm not going to invest 1.5 hours of my life on watching that video, especially not after reading the summary posted on YouTube:BASIC Bob wrote:What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA
This description fundamentally misrepresents UEFI. EFI's history is briefly summarized on its Wikipedia page. It was created by Intel, not Microsoft or the NSA (although of course most of what the NSA does is secret, so NSA involvement can't be ruled out, any more than NSA involvement in the formulation of Twinkies can be ruled out). It was created in the mid-1990s, not 2012; it became common in 2012 because Microsoft requires Secure Boot (an otherwise optional UEFI feature) for computers that ship with Windows 8 stickers. Those same licensing requirements give you the ability to install your own keys, thus locking out Microsoft if you so desire. See my Web page on the subject for instructions on how to do this. (Note that Microsoft is changing its licensing for Windows 10 to make this ability optional; however, I've heard through the grapevine that many major PC manufacturers will be retaining this ability.) Microsoft does not supply EFIs; they're created by AMI, Insyde, and others, just as BIOSes have always been supplied to motherboard manufacturers. Most or all EFIs are actually based on open-source code, part of the TianoCore project. TianoCore is BSD-licensed, though, so what you get in your PC is likely to be modified from that with proprietary bits added.YouTube summary wrote:In 2012, Microsoft and the NSA introduced a new start up program called UEFI which allows Microsoft, the NSA (or anyone else who holds a key to your computer) to completely turn it off so it will no longer start. He promotes Coreboot which use a safer start up program.
The subject of Secure Boot has been covered to death in the past, and I don't want to rehash that here. In brief, the past discussions have gone something like this:
- "The sky is falling! The sky is falling!"
- "No, it's not."
- "The sky is falling!"
- "No, it's not."
- "The sky is falling?
- "No, it's not."
- Quiet falls and life goes on -- until the next round.
As to the original question about getting a "safe" motherboard, all this means is: Stop worrying so much. If you're interested, by all means check out Coreboot. Be prepared to do some very low-level stuff to use it, though.
Re: UEFI: Protective Agent or Attack Vector
Thanks, that's somewhat reassuring. I too detest the video format, and hope that a written synopsis will have been circulating if most of his points were as cogent as those I could judge.
I understand that there's no 100% security, but it is a hobby of mine to not pre-organize my own security file. I'll try to catch up on my reading now.
I understand that there's no 100% security, but it is a hobby of mine to not pre-organize my own security file. I'll try to catch up on my reading now.
Re: UEFI: Protective Agent or Attack Vector
Coreboot ... makes sense that one of opensources advantages = Should be more eyes on what's going on. Still guessing always has been and will be a never ending round n round. People trying to compromise and exploit vs people trying not to be.
Thank de gawds more knowledgeable people are on the frontlines then meself ! We'd still be using abacuses dang it.
Thank de gawds more knowledgeable people are on the frontlines then meself ! We'd still be using abacuses dang it.