Vulnerabilities in the BIOS mean that virtually all PCs are currently susceptible to malware. Security researchers at a security conference showed a proof-of-concept of such malware, which could infect 80 percent of PCs.
Since the malware is active at the bios level, the operating system used does not matter. In their presentation, the researchers show proof-of-concepts with both Windows 10 and Tails, the secure Linux-based operating system that wipes its tracks the moment it shuts down. With their method, the researchers were able to intercept a pgp key from Tails.
The proof-of-concept works because, according to the researchers, it exploits a security flaw in a mode for Intel’s x86 and “Intel 64” architectures. With that architecture, System Management Mode, or SMM, always has read/write access to all memory, even when Tails uses it. Malware can stealthily exploit that to read out the memory of an affected machine. The proof-of-concept is called LightEater and uses, among other things, Intel Serial Over LAN to infect the bios.
System Management Mode runs special software such as firmware and debuggers with elevated administrator privileges for applications such as power management, system component management, and so on. The Snowden revelations already showed that the NSA was misusing SMM in a similar way as the researchers now demonstrate.
For example, the infection can be through malicious email attachments if the system has a uefi program to update the bios. If this is not the case, physical access to a system is required, for example to initiate an infection with a USB stick. This could be done in two minutes, the researchers show.
The researchers contacted all manufacturers, but due to the amount of vulnerabilities in the bios of those manufacturers, not all of them responded. Dell has promised to patch the vulnerabilities and Lenovo also wants to fix the vulnerabilities. Other manufacturers of systems whose bios are said to be vulnerable are Asus, HP and LG.