[Nottingham] badBIOS - hoax? Mistake? Or time to panic and flap about?

Martin martin at ml1.co.uk
Thu Oct 31 18:43:42 UTC 2013 

On 31/10/13 18:11, Jason Irwin wrote:
> I am nowhere near qualified to ascertain the veracity of this, but it's
> a good read in cloak-n-dagger kind of way.
> 
> http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
> 
> It almost seems too perfect and too complex to be true. Surely anything
> with that level of sophistication is going to be, well, large. Isn't it?

Indeed so... As was the case with Stuxnet and the other cloak'n'dagger
targeted sabotage malware agents.

I don't believe the journalistic Halloween story funkiness...

However...


On PC hardware, ALL USB devices are considered *completely trusted*
hardware. There is no security whatsoever. Crazy!

Hence, you can plug in a USB device and part of the startup protocol can
have *code downloaded* and executed to do anything... That can be either
instigated by the BIOS code, or by the OS code.

So... Add a programmable device to your innocent looking mouse and
takeover the host machine. "Simple".

For example, there is 'boot' code included in some USB memory sticks
that automatically run code downloaded from the memory stick to do
'clever' things such as encryption or to fake additional partitions...
And whatever else...

Note:

http://www.usb.org/developers/defined_class

USB defines class code information that is used to identify a device’s
functionality and to nominally load a device driver based on that
functionality...

And quite a few BIOSes now even include automatic-no-user-intervention
reflash the firmware upon detecting a USB memory stick with a certain
filename on there...

And you thought you were just plugging in an innocent USB mouse...?


Hence, for my areas and for years now, the use of memory sticks is
completely banned. They should not be needed and they are too much a
security risk. Even just for an office for suffering the disruption
potential.

Quite a sloppy mess...


Cheers,
Martin

-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list