Intel firmware boot verification bypass enables low-level backdoors
By replacing a PC's SPI Flash chip with one that contains rogue code, an attacker can gain full, persistent access
13 May 2019 | 0
Researchers have found a new way to defeat the boot
verification process for some Intel-based systems, but the technique can
also impact other platforms and can be used to compromise machines in a
stealthy and persistent way.
Researchers Peter Bosch and Trammell Hudson presented a
time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of
Intel’s reference Unified Extensible Firmware Interface (UEFI) implementation
at the Hack in the Box conference in Amsterdam this week.
Boot Guard is a technology that was added in Intel Core 4th
generation microarchitecture – also known as Haswell – and is meant to provide
assurance that the low-level firmware (UEFI) has not been maliciously modified.
It does this by checking that the loaded firmware modules are digitally signed
with trusted keys that belong to Intel or the PC manufacturer every time the
Bosch, an independent researcher and computer science
student at Leiden University in the Netherlands, discovered an anomaly in the
Boot Guard verification process while he was trying to find a way to use the
open-source Coreboot firmware on his own laptop. In particular, he noticed that
after the system verified the firmware and created a validated copy in cache,
it later re-read modules from the original copy located in the Serial
Peripheral Interface (SPI) memory chip – the chip that stores the UEFI code.
This is not correct behaviour, because the system should
only rely on the verified copy after the cryptographic checks are passed. This
made Bosch think there might be an opportunity for an attacker to modify the
firmware code after it has been verified and before it is incorrectly re-read
from SPI memory. He took his findings and an early proof-of-concept implementation
to Trammell Hudson, a well-known hardware and firmware researcher whose
previous work includes the Thunderstrike attacks against Apple’s Thunderbolt
Hudson confirmed Bosch’s findings and together worked on an
attack that involves attaching a programming device to the flash memory chip to
respond with malicious code when the CPU attempts to reread firmware modules
from SPI memory instead of the validated copy. The result is that malicious and
unsigned code is executed successfully, something that Boot Guard was designed
While the attack requires opening the laptop case to attach
clip-on connectors to the chip, there are ways to make it permanent, such as
replacing the SPI chip with a rogue one that emulates the UEFI and also serves
malicious code. In fact, Hudson has already designed such an emulator chip that
has the same dimensions as a real SPI flash chip and could easily pass as one
upon visual inspection if some plastic coating is added to it.
What are the implications of such TOCTOU attacks?
The Intel Boot Guard and Secure Boot features were created
to prevent attackers from injecting malware into the UEFI or other
components loaded during the booting process such as the OS bootloader or the
kernel. Such malware programs have existed for a long time and are called boot
rootkits, or bootkits, and attackers have used them because they are very
persistent and hard to remove. That is because they re-infect the operating
system after every reboot before any antivirus program has a chance to start
and detect them.
In its chip-swapping variant, Hudson’s and Bosch’s attack
acts like a persistent hardware-based bootkit. It can be used to steal disk
encryption passwords and other sensitive information from the system and it is
very hard to detect without opening the device and closely inspecting its
Even though such physical attacks require a targeted
approach and will never be a widespread threat, they can pose a serious risk to
businesses and users who have access to valuable information.
Such a physical compromise could occur in different ways,
for example in an evil-maid-type scenario where a high value target, like a
company’s CEO, travels to a foreign country and leaves their laptop unattended
in their hotel room. Bosch tells CSO that replacing the SPI memory chip with a
rogue one designed to execute this attack would take 15 to 20 minutes for an
experienced attacker with the right equipment.
Another possibility is supply chain attacks or the so-called
“interdiction” techniques where computer shipments are intercepted in
transit, for example by an intelligence agency, are backdoored and then
resealed to hide any tampering. The documents leaked by Edward Snowden showed
that the NSA uses such techniques, and it is likely not the only intelligence
agency to do so.
Some devices do have tamper-evident seals or mechanisms, but
someone with the right resources and knowledge can easily bypass those defences,
Bosch tells CSO.
Malicious employees could also use this technique on their
work-issued laptops to either bypass access controls and gain administrator
privileges or to maintain access to the company’s data and network after they
leave the company. Such a compromise would survive the computer being wiped and
being put back into use.
There have been several cases over the years of economic
espionage where employees working for various companies were caught stealing
trade secrets and passing them to foreign governments or to competitors.
What is the mitigation?
The two researchers notified Intel of their findings in
January and tell CSO that the chipmaker treated the issue seriously and
assigned a high severity to it. The company already has patches available for
its reference UEFI implementation — known as Tianocore — that it shares with
BIOS vendors and PC manufacturers. The researchers have not yet tested the
fixes, but at least based on the description they seem comprehensive and should
prevent similar attacks in the future.
The problem is that distributing UEFI patches has never been
an easy process. Intel shares its UEFI kit with UEFI/BIOS vendors who have
contracts with various PC manufacturers. Those OEMs then make their own
firmware customizations before they ship it inside their products. This means
that any subsequent fixes require collaboration and coordination from all
involved parties, not to mention end users who need to actually care enough to
install those UEFI updates.
The patches for the critical Meltdown and Spectre
vulnerabilities that affected Intel CPUs also required UEFI updates and it took
months for some PC vendors to release them for their affected products. Many
models never received the patches in the form of UEFI updates because their
manufacturers no longer supported them.
The two researchers plan to release their proof-of-concept
code in the following months as part of a tool called SPISpy that they hope
will help other researchers and interested parties to check if their own
machines are vulnerable and to investigate similar issues on other platforms.
“I would really like to see the industry move towards opening the source to their firmware, to make it more easy to verify its correctness and security,” says Bosch.
IDG News Service