Hacker News new | comments | show | ask | jobs | submit login

Would someone please explain how the firmware dumps of the infected computer are being made?

Is it true that if you control the firmware, then you control what the dumps of that firmware will look like? The only way I can imagine getting a clean dump of that machine is by desoldering the chips and imaging them via some specialized tool. If the machine's firmware is rooted, how can you trust any signal the machine sends, especially firmware dumps? The virus could trivially hide itself by detecting a firmware dump is in progress and sending a decoy (clean) image.




A system's BIOS image is usually written to an EEPROM chip, and they are often removable. So you can either just pop them out, or desolder them in the worst case.

Then you can use an external EEPROM reader that can dump the contents, but is not capable of running the code.

The EEPROM is storage only; it's contents are loaded by the PC at boot. So if it is removed, there is no processing that an occur internally than can mask the data inside of it.

-----


ROM is Read Only Memory. If it's read only, how could it become infected?

EDIT: Sorry for being unclear. I'm aware EEPROM can be overwritten. But presumably that requires special privileges, or a special circumstance (like the user physically holding some button on the motherboard during bootup, or something). The article isn't at all clear how it's possible to write a program that escalates its privileges to such an extent that it can then overwrite EEPROM. Is it really possible? How?

-----


EEPROM -

Electronically Erasable Read Only Memory

It's re-programmable (i.e. by re-flashing it).

edit: I should add that motherboard manufacturers could prevent this type of attack by "locking" the BIOS for flashing unless it was explicitly unlocked by changing a setting in the BIOS menu (some have this already, I believe). The problem at the moment is that the BIOS is writable at all times, even when the OS is running. This makes BIOS updates easier (i.e. you can make a Windows application that can do so, for example), but the problem is that this allows ANY process with Admin access to alter the BIOS as well.

-----


The problem at the moment is that the BIOS is writable at all times, even when the OS is running. This makes BIOS updates easier (i.e. you can make a Windows application that can do so, for example), but the problem is that this allows ANY process with Admin access to alter the BIOS as well.

I'm speechless that this horrible idea was ever taken seriously, much less implemented. That answers my question as to how a BIOS could become infected.

I'm seriously sitting here in shock. How could any hardware manufacturer think it was a good idea to let a userspace program permanently alter EEPROM, ever? One does not need to be very intelligent to realize hackers will hack that.

This brings us full circle to the original question, though: Did the security researcher write a program to dump the contents of EEPROM rather than desoldering the chips? if so, then he may have been hoodwinked by the virus.

-----


> How could any hardware manufacturer think it was a good idea to let a userspace program permanently alter EEPROM, ever?

Because most hardware manufactures are selling to consumers and not cypherpunks.

-----


This brings us full circle to the original question, though: Did the security researcher write a program to dump the contents of EEPROM rather than desoldering the chips? if so, then he may have been hoodwinked by the virus.

Is this different than getting a dump of the BIOS before flashing it? Are we talking about different chips on the motherboard?

-----


Flashing BIOS used to require a hardware manipulation - like moving a jumper or a dip switch. I hope this is still the case?

-----


SecureBoot implies that firmware installed by running OS must be signed too.

-----


That may not work if your Secureboot implementation is buggy.

The '80s solution to this problem was way easier, and it worked: a switch on the motherboard required physical access to the machine to flash its firmware.

-----


Physical switches are expensive.

-----


Jumpers are not expensive. You've already got dozens of the same kind of pin inside of every classic IDE and floppy connector on a motherboard.

-----


Not "just" rom, EEPROM (Electrically Erasable Programmable) Read Only Memory.

http://en.wikipedia.org/wiki/EEPROM

-----


As the article states, it is a holdover term from a time they were Read only.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: