By Joseph Menn
SAN FRANCISCO (Reuters) – A multi-year effort to prevent hackers from altering computers while they boot up has largely failed because of lax application of preventive steps, researchers say, despite disclosures that flaws are being exploited.
In the latest sign that the problem persists, researchers at the federally funded MITRE lab said this week that many customers of Intel Corp still had not adopted revised security designs Intel distributed in March after the MITRE team found new vulnerabilities in the start-up process.
That could mean many newer Windows computers remain exposed, the MITRE team told Reuters ahead of a presentation at the Black Hat security conference in Las Vegas next week.
Intel’s point person on the issue, Bruce Monroe, said he did not know how many suppliers and computer makers had followed Intel’s recommendations.
“We’re not privy to whether they’ve fixed it or not,” Monroe said. “We asked them to let us know.”
The stubborn glitches illustrates how such well-funded spying programs as those exposed by former National Security Agency contractor Edward Snowden can continue to succeed against targets that depend on a complex supply chain.
Long before Snowden’s documents began appearing the media, professional technicians and U.S. officials were concerned about the vulnerabilities that left computers severely exposed as they are turned on.
Years ago, then-U.S. National Security Agency Director Keith Alexander privately urged the chief executives of major American technology companies to do something about the boot-up procedure known as the Basic Input/Output System, or BIOS. BIOS relies on firmware, or permanent software that ships with computers.
Because the start-up code is given more authority than the operating system, hackers who break into that code can make major changes to programs and hide evidence of their presence. Lodging there also all but guarantees what the security industry calls persistence – the ability to remain inside even after a computer is turned off and rebooted.
Intel, Microsoft Corp and other companies promoted a successor system known as the Unified Extensible Firmware Interface that includes a feature called “secure boot,” which checks for digital signatures before running code. Microsoft’s Windows 8 operating system has embraced UEFI and secure boot, bringing the hardened approach to more than 60 million new computers.
Even as that rollout was accelerating, though, evidence accumulated that attacks similar to those theorized by researchers were actually under way.
In 2011, several research firms identified one such piece of malicious software, called Mebromi, that primarily attacked Chinese computers with a type of BIOS from leading supplier Phoenix Technologies Ltd [PHQUIP.UL].
Early last year, Reuters saw a catalogue from a U.S. defense contractor that included a product, offered at more than $100,000, for incapacitating target computers by attacking BIOS and other critical elements.
And in December, Der Spiegel reported that a leaked internal NSA catalogue described a tool called DeityBounce that attacked the BIOS of Dell Inc servers.
That came months after a presentation at last year’s Black Hat security conference in which MITRE researchers including Corey Kallenberg and Xeno Kovah broke into Dell’s boot-up process.
In a joint interview, Kallenberg and Kovah said that in the year since that talk, they had deployed sensors to about 10,000 computers to determine whether boot-ups were still vulnerable to that flaw or related issues. As of last month, 55 percent of them still were.
But the actual percentage of vulnerable machines in the world is even higher, because the MITRE group has not been checking for flaws stemming from the issues it found more recently with Intel’s old UEFI guidelines, which permitted an attack through memory corruption.
“That number is going to go up a lot,” Kovah said of the percent of affected computers.
Intel’s Monroe said that although his company, the BIOS makers and most of their customers were not used to distributing and installing fixes, improvements were coming, starting with a fledgling industry-wide incident response team led by Phoenix.
Kallenberg and Kovah said it would help if the National Institute of Standards and Technology moved beyond general warnings and provided links to verified fixes.
(Reporting by Joseph Menn; Editing by Ken Wills)