UEFI: Protective Agent or Attack Vector

[mike acker]

recent story about the Hacking Team and UEFI as an attack vector

"hacking" I suppose would be the best way to make a path through the briar bushes,...... tee hee,--
however one really should install a gate at either end to the path,---- um, yeah, how about an access list?

if there is anything that is clear in this whole security debauch it is that any mechanism developed for any purpose will be analyzed to determine if it can be re-purposed . as we were taught in the U.S. Army: consider the possibilities available to the enemy; do not waste time trying to guess what he will do.

[exploder]

It never ends does it? I just read yesterday that Red Star Linux was found to contain spyware too.

Edit: Corrected the name of the distro.

[niowluka]

Hang on. A hacker hacked Hacking Team ?! This is funnier than Silicon Valley ...

[Fred Barclay]

I'm with exploder. It never does end... <Sighs in exaustion>

The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?

[Pjotr]

The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?

Quite so.
See the last line of my signature....

[tdockery97]

The safest compter really is the one that's disconnected from the wall circuit and used as a door stop, isn't it?

I'd probably trip over it.

[Fred Barclay]

Quite so.
See the last line of my signature....

Yeah, that's actually one of my favourite sigs.

[exploder]

Here is the article on Red Star Linux, got the name wrong earlier...

http://www.theregister.co.uk/2015/07/20 ... t_tracker/

Just shows this kind of thing is going on everywhere....

[srs5694]

Two points:

• From the article: "A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer." With physical access, no computer is secure. I don't care if it's got an absolutely flawless firmware, boot loader, OS, and applications; with physical access, an attacker can re-write all of those to be something else. (Encrypting all of them would help, but would not be a 100% guarantee of safety.) Remote firmware updates (as on many servers today) could make a remote attack like this possible, but only if the update mechanism itself and access to the computer contain security flaws.
• The attack involves modifying and re-writing the firmware. This can be done with BIOS, too, and there have been claims of such things in the past. It's a little easier to modify an EFI than a BIOS because the former is written in C whereas the latter is written in the (more obscure) 16-bit assembly language; but the principles of the attack are the same, so there's really nothing fundamentally new here.

In sum, security is a spectrum; there is no such thing as a 100% secure computer (or firmware, or OS, etc.). Compared to BIOS, EFI has features that can help security (such as Secure Boot) and others that may prove to be detriments in the long term (such as the fact that EFI easily runs code that is written in C). EFI is also still pretty new, so flaws are still being discovered in it. Future EFIs are likely to be superior to current ones, and in more ways than just security. IMHO, this story is a bit overblown.

[mike acker]

from the article

A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer, but remote installation can’t be ruled out, the Trend Micro researchers said.

( emphasis added )

i need to do more research on this topic: apparently there is supposed to be an option in UEFI to require a password before a UEFI firmware update will be accepted. this would be a Good Thing, although it doesn't help with the question - what was in the UEFI whe I got it ?

also from the article:

To prevent such infections, Trend Micro advises users to enable the UEFI
SecureFlash option, to set up a BIOS/UEFI password and to update the firmware to
its latest version so that it has the latest security patches. UEFI/BIOS updates
are usually distributed by computer manufacturers through their support websites
and some of them do fix issues identified by security researchers.

I'd just a soon replace my UEFI with an open source common BIOS linked to GRUB . I've had to do a couple computers with UEFI in them and so far I've been able to re-set them back to the traditional common BIOS

[Chiefahol]

Here is the article on Red Star Linux, got the name wrong earlier...

http://www.theregister.co.uk/2015/07/20 ... t_tracker/

Just shows this kind of thing is going on everywhere....

That's really not surprising, that a linux distro maintained by the state of north korea would have spyware!

Total shocker!

[Fred Barclay]

Here is the article on Red Star Linux, got the name wrong earlier...

http://www.theregister.co.uk/2015/07/20 ... t_tracker/

Just shows this kind of thing is going on everywhere....

That's really not surprising, that a linux distro maintained by the state of north korea would have spyware!

Total shocker!

My thoughts exactly!

[BASIC Bob]

I'm buying a new computer, probably a Shuttle XS35V4. How can I get a safe, adequate BIOS? What should I ask for?

[srs5694]

I'm buying a new computer, probably a Shuttle XS35V4. How can I get a safe, adequate BIOS? What should I ask for?

If you've already narrowed it down to a specific model, you have very few choices, possibly aside from deciding whether or not to install any updates provided by the manufacturer. The main exception to this rule is that if you're experienced enough (or know somebody who is), you may be able to replace the standard firmware with Coreboot, which is an open source firmware. (There are also Coreboot payloads that turn it into either a BIOS or an EFI.)

If you're willing to reconsider your choice of motherboard, you can of course research the EFIs provided on various competing models. Note that I specified EFIs, because virtually all modern computers and motherboards ship with EFI (and especially UEFI, except for Macs) firmware, not BIOSes. (Many people use "BIOS" the way I use "firmware," but that's confusing in many contexts.) For security, you could read the article referenced by mike acker to see what EFIs are most vulnerable. (Answer: Insyde and possibly AMI EFIs -- but those two provide most of the EFIs in use today, so finding something else may be a challenge.) IMHO, though, avoiding a motherboard because of the referenced exploit is likely to be pointless. Not only is that exploit something that's so esoteric that it's not likely to be an issue for most people, but there are certain to be other exploits down the road. A better approach might be to figure out which manufacturers provide firmware updates for their computers over a relatively long period of time. If Company A provides updates for five years but Company B abandons their firmware updates after one year, Company A is more likely to provide you with security fixes down the road.

You can also use various firmware features to minimize risks. You can set a firmware password and use Secure Boot, for instance. Both of these features can protect against certain types of exploits, but of course neither is a 100% iron-clad guarantee against security problems. Remember that security is not absolute, it's relative. You can take steps to get a firmware that's safer than something else, but never one that's "safe" in any absolute sense.

[niowluka]

I'm buying a new computer, probably a Shuttle XS35V4. How can I get a safe, adequate BIOS? What should I ask for?

Just get the PC.

Don't get fooled by media scaremongering. This is the gist of what the article actually confirmed:

installing the UEFI rootkit requires physical access to the target computer [...] an attacker must reboot the system into the UEFI shell, extract the firmware, write the rootkit to the dumped image and then flash it back to the system

This all but writes off chances of an actual 'attack' via this method.

The possibility of installing rootkits into a computer’s BIOS or UEFI firmware has been demonstrated by multiple researchers at security conferences over the past several years. However, known cases of such rootkits being used in the wild are extremely rare.

[BASIC Bob]

Thanks very much. I'm open to any suggestions for hardware that's either fanless, or in the quietest 2% or so. The one I like so far, http://global.shuttle.com/products/prod ... uctId=1766 advises that custom firmware is available, and gives instructions for some sort of changes that give me hope as well, but I'd want full coaching to do that job myself. I'm having to guess at far too many words today. Would it be reasonable and safe to ask the vendor to do it?

What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA

[niowluka]

What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA

I'll let others comment on that. No way I'm sacrificing 1.5h of my life to listen to some random college teacher.

EDIT: grammar

[srs5694]

What got me onto this topic was not that article, but this talk by Dennis Mills, questioning the whole rationale of UEFI:
https://www.youtube.com/watch?v=vZWx-c8gvmA

Like niowluka, I'm not going to invest 1.5 hours of my life on watching that video, especially not after reading the summary posted on YouTube:

In 2012, Microsoft and the NSA introduced a new start up program called UEFI which allows Microsoft, the NSA (or anyone else who holds a key to your computer) to completely turn it off so it will no longer start. He promotes Coreboot which use a safer start up program.

This description fundamentally misrepresents UEFI. EFI's history is briefly summarized on its Wikipedia page. It was created by Intel, not Microsoft or the NSA (although of course most of what the NSA does is secret, so NSA involvement can't be ruled out, any more than NSA involvement in the formulation of Twinkies can be ruled out). It was created in the mid-1990s, not 2012; it became common in 2012 because Microsoft requires Secure Boot (an otherwise optional UEFI feature) for computers that ship with Windows 8 stickers. Those same licensing requirements give you the ability to install your own keys, thus locking out Microsoft if you so desire. See my Web page on the subject for instructions on how to do this. (Note that Microsoft is changing its licensing for Windows 10 to make this ability optional; however, I've heard through the grapevine that many major PC manufacturers will be retaining this ability.) Microsoft does not supply EFIs; they're created by AMI, Insyde, and others, just as BIOSes have always been supplied to motherboard manufacturers. Most or all EFIs are actually based on open-source code, part of the TianoCore project. TianoCore is BSD-licensed, though, so what you get in your PC is likely to be modified from that with proprietary bits added.

The subject of Secure Boot has been covered to death in the past, and I don't want to rehash that here. In brief, the past discussions have gone something like this:

• "The sky is falling! The sky is falling!"
• "No, it's not."
• "The sky is falling!"
• "No, it's not."
• "The sky is falling?
• "No, it's not."
• Quiet falls and life goes on -- until the next round.

The trouble with this sort of exchange is that there is the potential for some restrictive anti-consumer configuration. This is already the case for ARM-based computers, on which Microsoft requires that Secure Boot can not be disabled. Thus, the Chicken Little exchanges may cause people to become complacent if and when trouble does emerge. That time has not yet come (except for ARM devices -- but the cell phones and whatnot that use ARM have always been locked down, so that's not really a UEFI-specific issue).

As to the original question about getting a "safe" motherboard, all this means is: Stop worrying so much. If you're interested, by all means check out Coreboot. Be prepared to do some very low-level stuff to use it, though.

[BASIC Bob]

Thanks, that's somewhat reassuring. I too detest the video format, and hope that a written synopsis will have been circulating if most of his points were as cogent as those I could judge.
I understand that there's no 100% security, but it is a hobby of mine to not pre-organize my own security file. I'll try to catch up on my reading now.

[lmintnewb2]

Coreboot ... makes sense that one of opensources advantages = Should be more eyes on what's going on. Still guessing always has been and will be a never ending round n round. People trying to compromise and exploit vs people trying not to be.

Thank de gawds more knowledgeable people are on the frontlines then meself ! We'd still be using abacuses dang it.