Bios Vulnerabilities

BIOS security is a unique part of cybersecurity because despite the independence of the BIOS program on the hard drive of a system, hackers can still run certain malicious codes to attack the BIOS of any computer using ransomware or some other known vulnerabilities in the BIOS security.

WHAT IS BIOS?

BIOS is the short form of a Basic Input / Output System, the BIOS is a Read Only Memory(ROM) chip found on the motherboard that allows setup and access to the computer system on a basic level. Instructions on how to load basic computer hardware are included in the BIOS. In computing, the BIOS is firmware, used to perform hardware initialization and provide services for operating systems and other programs. The BIOS comes pre-installed on the system’s motherboard and the function is executed when the computer is powered up. Before the Operating system is loaded, the BIOS is accessed by the CPU to examine all the hardware connections and detect any faults with the computer before booting.

The main function of the BIOS is to set up the hardware and start an Operating System(OS), as it contains a code that controls screens, mouse pad, keyboards and other probable functions of the computer hardware. The BIOS is an inbuilt software that controls the hard drive and cannot be stored on one. It cannot be stored in the Random Access Memory as it should be accessed before the computer boots up. It is stored in the Erasable Programmable Read Only Memory (EPROM) chip.

The BIOS is the first software that runs when a computer is powered up, to perform a series of initial test diagnostics such as the POST (Power On Self-Test), Bootstrap loader, Setup utility program and drivers. The BIOS software is available in most modern computer motherboards; therefore, the BIOS access integration and configuration are independent of any type of operating system (OS), which means that it can run on any type of system with varying operating systems like Windows 7, Windows 8, Windows 10. Windows 11, Windows XP, Unix, Windows Vista, Linux or even when there’s no operating system at all.

BIOS has two main types which are

  • Unified Extensible Firmware Interface(UEFI)

  • Legacy BIOS

The UEFI is more prominent in modern computers compared to the Legacy BIOS as it offers a wide range of features customization. Though there are only slight differences between both UEFI and the legacy BIOS as they both perform the same function. The BIOS functionality can be updated by the user through the BIOS user interface. The BIOS functionality provides: changes to system date and time, boot device, system hardware configuration, setting system or BIOS passwords. There has been an increase in BIOS functionality and size with each generation of computer hardware. The UEFI(Unified Extensible Firmware Interface) has been made as an alternative to the BIOS on 64 bit computers, Linux kernel 2.6.1 or newer and x86 or intel chipped mac devices.

Vulnerabilities refers to any weakness or flaw in an information system, internal controls or systems procedures of an organisation which can be used as a method of exploitation to the security system of the organisation. The vulnerability has the potential of being used as a threat leverage against the subject.

BIOS vulnerability is hence defined as any flaw in the BIOS security of any device that can be exploited by hackers to gain illegal access to the BIOS. Taking UEFI as a case study due to its prominence among modern computers. With many issues surrounding the usage of UEFI firmware, and how easy it is to install rootkit on the system, various vulnerabilities and attack vectors have been considered. These attack vectors and vulnerabilities can be classified into various groups as an attacker can violate security boundaries and install rootkits or advanced persistent implants. The vulnerabilities can be divided into two major groups: Post- Exploitation and Supply Chain Compromise.

The diagram above is a description of the groups in the BIOS vulnerabilities, majorly for UEFI.

Let’s start with the POST-EXPLOITATION class in the diagram Fig.1

Secure Boot Bypass - this part focuses on compromising only the secure boot process instead of completely compromising the whole root window (exploiting Root of Trust) or opening a vulnerability in one of the boot stages before the Operating system loads. Secure boot bypass can occur in any of the boot stages and can be used as a leverage by the attacker against the other boot stages.

SMM Privilege Escalation - SMM means (System Management Mode). SMM has a lot of power on the 32-bit or x86 hardware, as almost all SMM issues on privilege escalation lead to code execution issues. Before a successful BIOS implantation installation, privilege escalation to SMM is an important part of the final stage.

UEFI Firmware Implant - this is the final phase of the advanced persistent threat in a BIOS implant installation. It can be installed as a legitimate standalone driver (DXE, PEI) or as a module.

Non-Persistent Implant - in this case, a BIOS does not complete a full reboot or shutdown process but can complete sleep or hibernate cycles. This can be used to deliver malicious payloads to the memory isolation channel.

The Post-Exploitation vulnerabilities are prominent for installation issues and persistent or non-persistent implant after a successful exploitation in the previous stages. But the Supply Chain Compromise is a scenario where vulnerabilities or security issues occur from the mistakes of the BIOS development team or deliberate software misconfigurations left as attack channels to bypass the platform’s security features.

Hardware and firmware misconfiguration becomes a very important attack vector in cases where the user cannot monitor physical access to the hardware, such as search points or leaving the laptop in a room with general access to people which provides opportunities for BIOS implant. Examples of these attacks include hard drive cloning, full disk encryption, or hardware implant installation.

Protections Misconfiguration - misconfiguration of technological protection happens during development or post-production process.

Non-Secure Root of Trust - Root of trust can be compromised from the Operating Sytem through its interaction with the firmware.

Malicious Peripheral Devices - malicious hardware devices can be implanted during the production or delivery phases. These devices can be used as a vulnerability and can be used to attack or monitor the users operation.

Unauthenticated BIOS Update - for broken authentication processes in the BIOS update. Some vendors deliberately alter the update disk images and setups so that it will not indicate updates and security patches when available.

Outdated BIOS with known Security Issues - a very common security failure of the BIOS firmware continuous usage of outdated vulnerable codes by the BIOS developers even after the security patches have been patched.

The supply chain compromise is very difficult to fix as there should be stringent regulations on development and production cycles. As most companies hardly bother with the security of the BIOS updates they make available to the public.