LightEater malware attack places millions of unpatched BIOSes at risk

LightEater malware attack places millions of unpatched BIOSes at risk

Two minutes is all it takes to completely destroy a computer. In a presentation entitled "How many million BIOSes would you like to infect?" at security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments.

The attack could be used to render a computer unusable, but it could also be used to steal passwords and intercept encrypted data. The problem affects motherboards from companies including Gigabyte, Acer, MSI, HP and Asus. It is exacerbated by manufactures reusing codes across multiple UEFI BIOSes and places home users, businesses and governments at risk.

Advertisement

Talking to The Register, Kopvah explained that the problem is made worse because of the fact that very few people take the trouble to update their BIOS. This is something the pair are hoping to change by highlighting the ease with which an unpatched BIOS can be infected with malware.

Introducing the vulnerability, Kallenberg and Kovah said:

So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a shit!

The malware can be used to infect huge numbers of systems by creating SMM (System Management Mode) implants which can be tailored to individual BIOSes with simple pattern matching. A BIOS from Gigabyte was found to be particularly insecure.

We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again.

The vunerability is something that has already been exploited by the NSA, but the researchers are encouraging businesses and governments to take the time to install BIOS patches that plug the security hole.

Photo credit: ridjam / Shutterstock

18 Responses to LightEater malware attack places millions of unpatched BIOSes at risk

  1. Slavic says:

    Fail of the BIOS shouldn't be a fatal problem: many boards have a fail-safe switch which allows to use the original BIOS instead of last flashed, then it's possible to re-flash the damaged BIOS. Of course, a virus can behave more trickier and instead of invalid CPU code do something else and hide its presence as possible. Whether current anti-malware tools are able to find it, is another question.

    • Soyweiser says:

      I recall it is pretty hard to detect an infected bios from inside a running system. (And it should be, if the malware is well written). So I would not depend on anti-malware tools. The hidden malware is the real danger. With a bricked machine at least you know it is broken. And the cost to replace a motherboard is minor compared to the cost of replacing your identity, or the money on your bank account.

      good tip with the fail safe switch remark. That should solve some problems for people who might get infected.

  2. smist08 says:

    Most people don't update their BIOS's because it usually isn't easy. You have to search out the update on the Internet and then the sites are very confusing with lots of warnings that if you do the wrong thing you will brick your computer. Apple devices update this as part of their operating system update process, but you can only do this if you control the hardware and the software. My Garmin watch does this as well. Updating PC BIOS's has always been hard and not very well supported.

    • MrL0g1c says:

      Most people don't update their BIOS because it's not generally considered a vulnerability vector and is completely unnecessary most of the time. My BIOS is about 3 years old and I don't think there are any updates even though it's a popular board.

      • ajft says:

        It isn't helped by confusing and often near-gibberish instructions from the vendors. Even when you do want to update the BIOS you can find yourself with the computer vendor telling you to go to the motherboard vendor's site, the motherboard vendor telling you to go to the BIOS vendor's site, and the BIOS vendor telling you to contact your motherboard vendor. I've got one system at home with a BIOS that has had two updates, both around 4M in size. The vendor website insists that there's a third update -- 8M in size -- for that model motherboard, but the motherboard only has a 4M ROM.

  3. Not everyone has an option to update their BIOS. There are literally millions of systems out there with EOL motherboards that haven't seen a BIOS update produced in years. I guess it's time for them to buy a new PC.

  4. MrL0g1c says:

    Not one word on how the infection actually occurs, being a BIOS infection I would have assumed that physical access to the inside of the PC is needed.

  5. William Warren says:

    ah yes...uefi..the system that runs a separate OS from your bios chip was ultimately secure right? Windows 100 locks out Linux in the name of security...except when it isn't. The old bios sure looks quite a bit better now..:)

  6. John C says:

    Just for the sake of argument there have been unofficial BiOS updates in the past.
    And you could probably have one made for your board if you look in the right place.

  7. internetworld7 says:

    Thank goodness I'm on a Mac :-)

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.