Security Experts:

Firmware, Controllers, and BIOS: Subterranean Malware Blues

Early in the 20th century, the pioneers of psychology, Sigmund Freud and Pierre Janet introduced the revolutionary concept of an “unconscious” or “subconscious” mind. The idea was that we have a “mind-within-the-mind,” an underlying consciousness keeping track of all the things just under the surface of our consciousness that we didn’t have room for, or didn’t want to acknowledge, during our waking day. This hidden subterranean mind was often blamed for all sorts of problems and maladies. 

There is a similar, but very tangible underworld in computer science, and despite it being well-documented, it remains one of the most vulnerable areas in information security today. To extend the “mind-within-the-mind” analogy, there are computers within our computers that are largely beyond the scope of security, yet control everything we think we know about the device. 

The Basic Input/Output System (BIOS) in our laptop, the hardware controller that runs the disk, and the Baseboard Management Controller (BMC) in our servers are all little computers that sit below the operating system and in some cases can act independently of the core CPU itself. These are the backdoors into the computer that if compromised, can subvert everything that we know from the operating system.

To the BIOS and beyond

Rootkits are powerful tools in an attacker’s arsenal that are designed to give the attacker control of the victim system without being detected by antivirus or other security software on the host. Often this malware is in a fight with antivirus to see who can get the lowest, most trusted access to the operating system. However, as attackers have increased in sophistication, they realized they can get lower than the operating system itself, by going to the BIOS. 

The BIOS is an ideal location for malware, because not only is it ignored by most AV products, it remains untouched even when the operating system is wiped and reinstalled. Given that many organizations simply re-image infected machines, a BIOS rootkit could easily survive the re-imaging process. Not only does the BIOS run below the level of the operating system, the firmware in the BIOS is rarely updated. This means that any vulnerabilities are likely available to an attacker, and that any code install on the machine won’t be overwritten. 

The little computer that runs your hard drive

Often we think of our hard drives as a big chunk of storage and nothing more. However, if you look at the bottom of a laptop hard drive, you will notice that big chunk of storage has a circuit board. This is the hard disk controller and comes with its own memory and firmware that controls the low-level operation of the disk. 

If an attacker was able to compromise the firmware of the disk controller, then he could control the disk in ways even the operating system would be blind to. Early last year attackers were discovered that were doing just that. This allows an attacker to hide documents in a way that avoids encryption, and even creates hidden areas within the drive that the operating system won’t report on. Just as importantly, the firmware persists even through software and operating system updates applied to the machine. 

The hardwired backdoor into your data center

No, BMC does not stand for the “big man on campus” but the Baseboard Management Controller does play a critically important role in servers. For server hardware, the BMC is quite literally the “computer-within-the-computer,” with its own processor, memory, and networking stack. Being independent of the main server hardware, it is even lower than the BIOS. It has the all-important job of monitoring and managing the fundamental health of the system such as internal temperature, fan speeds, and the operating system itself. 

However, the BMC is only half of the solution. Administrators need to manage large numbers of servers and it’s impractical to go physically connect to a server via console cable every time they need to check on a server. This is where the Intelligent Platform Management Interface (IPMI) comes into play. IPMI is a protocol that administrators use for remote out-of-band server management. Each hardware vendor has its own branded version of IPMI, but they are largely equivalent. 

The danger of IPMI is tied to its power. IPMI can be used to mount virtually any disk image, and replace the operating system if necessary. To do so, IPMI and the BMC work even when the main server processors aren’t running, or even when the server is powered down. The only way to disable it completely is to physically unplug the server from power. 

While IPMI offers god-like power over the server, it is typically not very well-secured or monitored. Default passwords are well-known, all too often used, and IPMI access is rarely logged. This means attackers can quickly guess the password or brute-force their way in without detection. Once the attacker gains access to the BMC, he can control every layer of abstraction including the host operating system, any guest virtual machines, and their workloads.

It is somewhat ironic to consider that even with all the worry and effort expending on securing virtualized environments, one of the biggest vulnerabilities lies in the physical hardware itself. This is true not just in the data center, but in our laptops as well. The underlying firmware, controllers, and BIOS can undercut what we think we know about a given device. Increasingly the “computer-within-the-computer” is where the real action for an attacker is.
view counter
Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.