Hacking Team Used UEFI BIOS Rootkits

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If these guys spent as much time on defense as they did on hacking tools, they might not be in the predicament they currently find themselves in.

Hacking Team has not only developed exploits and flaws, but also uses a ‬Unified Extensible Firmware Interface (UEFI) BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. The use of this type of rootkit means that even if a victim's infected machine undergoes a hard drive format, buys a new HD or reinstalls the Windows operating system, the tools are once again implanted to resume their tasks.
Click to expand...
 
Watch, if you try to reflash, it will infect the USB on insert, then reinstall on reflash
 
One more reason UEFI sucks. It never needed to exist in the first place.
 
b-b-but they said they were the good guys! surely, what they do is fine especially if "good" governments are their customers. think of all the terrorism that they prevent! and think of the children.
 
UEFI does have its advantages but that's the tradeoff more convenience=less security.
 
Why would MBR have been less vulnerable than UEFI under an attack of this scale?
 
PeaKr said:
UEFI does have its advantages but that's the tradeoff more convenience=less security.
Click to expand...

What convenience? It's been a PITA trying to boot USB flash live Linux compared to traditional BIOS.
 
mi7chy said:
What convenience? It's been a PITA trying to boot USB flash live Linux compared to traditional BIOS.
Click to expand...
I had to use a live Ubuntu USB on an HP Pavilion that shipped with Win 8.1 the other day, no issues whatsoever. I've also had no problems getting live Ubuntu USBs to boot on Dells with UEFI.

You don't even have to disable secure boot, as Canonical's bootloader is signed. For those distros that do not have a signed bootlaoder (which is inexcusable, as the Linux Foundation itself provides Verisign'd keys) you simply disable secure boot.
 
UEFI is great. There is tons of documentation out for it. It's superior to that which came before it, IF utilized properly. That's the issue. Lots of OEMs and vendors not implementing or holding to the specs properly.....
 
1o57 said:
UEFI is great. There is tons of documentation out for it. It's superior to that which came before it, IF utilized properly. That's the issue. Lots of OEMs and vendors not implementing or holding to the specs properly.....
Click to expand...

I'm sure the documentation has gotten better since I had to deal with it. My beef is that I don't want a program running under my OS.

Next we will need AV at the BIOS level. Imagine that nightmare when a security update can brick your machine.
 
Why the FUCK is the Bios ROM flash-able without the user having to move a jumper on the motherboard to allow writing?

Seriously, Intel and the rest are as pathetic at security as the software companies are.

We have Building and Fire codes, time for the State to require basic Security codes.
 
No it's not, we should have learned our lessons by now. A physical jumper is the only way to ASSURE Security. Anything less is hackable by someone.
 
and this is why Germany is back to using typewriters...

also why we can't have nice things.

now this guy is truly a perpetrator of treason in a lot of countries.

when's he going to jail?
 
crusty_juggler said:
I had to use a live Ubuntu USB on an HP Pavilion that shipped with Win 8.1 the other day, no issues whatsoever. I've also had no problems getting live Ubuntu USBs to boot on Dells with UEFI.

You don't even have to disable secure boot, as Canonical's bootloader is signed. For those distros that do not have a signed bootlaoder (which is inexcusable, as the Linux Foundation itself provides Verisign'd keys) you simply disable secure boot.
Click to expand...
Many only trust the ms keys in my experience forcing the disable of secure boot to use Linux which is fine by me as it means the tpm won't decrypt the bitlocker drive
 
xX_Jack_Carver_Xx said:
Why the FUCK is the Bios ROM flash-able without the user having to move a jumper on the motherboard to allow writing?

Seriously, Intel and the rest are as pathetic at security as the software companies are.

We have Building and Fire codes, time for the State to require basic Security codes.
Click to expand...

If they have to have physical access anyway, couldn't they just move the jumper?

"A slideshow produced by Hacking Team and available to view through leaked emails claims that infection requires physical access to the target machine. "
 
timta2 said:
If they have to have physical access anyway, couldn't they just move the jumper?

"A slideshow produced by Hacking Team and available to view through leaked emails claims that infection requires physical access to the target machine. "
Click to expand...

And this is where I go "Meh." If they have physical access, then your PC is compromised, the end.
 
tazeat said:
Many only trust the ms keys in my experience forcing the disable of secure boot to use Linux which is fine by me as it means the tpm won't decrypt the bitlocker drive
Click to expand...

That is more likely an issue with that vendor's implementation. I've seen several systems where you have to disable it to get the install started but once you've installed linux or whatever signed OS you want to install you can re-enable it and it will accept it.
 
mi7chy said:
What convenience? It's been a PITA trying to boot USB flash live Linux compared to traditional BIOS.
Click to expand...
Yep, and I thought that UEFI was supposed to make this easier and better and more reliable than booting through BIOS.
 
Yes, this is pretty much a non-story since they have to be able to sit in front of a machine and conduct a series of operations that would take no little amount of time to complete. Most people will read one or two lines of the story and conclude that this is something you can pick up while web browsing... Lol...;)

This is what so-called "security companies" do--spread FUD among the n00bs...I guess their sales are flagging. If anything, it reinforces just how tight UEFI secure-boot is--because you can't break it unless you're sitting right in front of it yourself and already have access to the machine...
 
Cerulean said:
Yep, and I thought that UEFI was supposed to make this easier and better and more reliable than booting through BIOS.
Click to expand...

The change was to prevent the 95 percentile user from being able to run a demo OS off a USB stick by requiring them to go into their BIOS.

I have a cheap lenovo where to even get to that BIOS feature requires much more and it is a rain dance that would in no way be obvious. And also has to be undone for Windows to run correctly afterward.

Its by no way a complete block against other OS's but it creates a high level friction against doing it ruling out most people.
 
xX_Jack_Carver_Xx said:
No it's not, we should have learned our lessons by now. A physical jumper is the only way to ASSURE Security. Anything less is hackable by someone.
Click to expand...

Hate to say it, but I totally agree.
If someone can get their hands on that jumper switch, they own the hardware already.

While a slight inconvenience, this would be faaaar more secure than what we are using now.
Ah, the good old days. :cool:
 
xX_Jack_Carver_Xx said:
Why the FUCK is the Bios ROM flash-able without the user having to move a jumper on the motherboard to allow writing?

Seriously, Intel and the rest are as pathetic at security as the software companies are.

We have Building and Fire codes, time for the State to require basic Security codes.
Click to expand...

The article states that you must have physical access and the payload on mefia (USB) and need to dump the bios and perform a few reboots so your jumper theory/requirement is out the window as the attacker needs physical access.

FDE could prevent access to the volume and this attack seems aimed at NTFS (windows) systems.
 
You must log in or register to reply here.
Back
Top