[ISN] The NSA as APT, and all your BIOS is belong to them

Forwarded from: Marjorie Simmons A Friday muse for the equinox: As everyone not living under a rock now knows, the NSA is an APT (advanced persistent threat): “[t]hrough covert partnerships with tech companies, the spy agencies have inserted secret vulnerabilities into encryption software.” http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security According to the materials The Guardian published online, in one of the briefings between the NSA and GCHQ to “celebrate their success at ‘defeating network security and privacy'”, the NSA’s material states: “For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely used Internet encryption technologies”. The ‘multi-pronged’ language makes sense, since traditionally one doesn’t simply rely on a single avenue of attack in an effort to undermine an enemy. So, in raping the sacred cow of crypto, what might one of the prongs be? What’s least path of resistance? I had a recent reason to think about that, and decided on the BIOS. Awhile back I was close to someone who turned out to be a conspiracy-theorist, (and I had quite enough of that, thank you very much), but there are instances when the adage that “just because you’re paranoid doesn’t mean they’re not out to get you” has a certain ring of truth to it. (I imagine all the conspiracy-theorists threw a “there is a god!” party when The Guardian published the recent news.) In the last few weeks I was offered a BIOS update for an x64 i7 notebook built in 2011 which runs Windows 7. The BIOS is set up to optionally use UEFI (Unified Extensible Firmware Interface) boot mode, which on this machine is disabled by default. It also has an option for enabling Intel’s AMT (Active Management Technology), which is enabled by default and has an option to disable it, but no option to enable or disable the similar and dependant Computrace/LoJack anti-theft functions that are also burned into BIOS by the manufacturer. I knew this machine had the LoJack modifications to the BIOS chip because the hardware manufacturer’s security software offers the use of LoJack within security setup once the user is already within the OS. Given the well-documented security threat that LoJack presents, one wants to disable it but cannot do so easily as one can with the precursor AMT, which is (or at least appears to be) more transparent. You never know though: Researchers can slip an undetectable trojan into Intel’s Ivy Bridge CPUs, http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/. For those unaware, the Computrace/LoJack product is anti-theft tracking software that periodically connects to Absolute Software’s servers (the makers/licensors of LoJack) to announce its location and to check to see if the machine has been reported stolen. It can report such things, besides georeferencing, as installed software and encryption status, and perform file retrieval. (http://www3.absolute.com/Shared/Datasheets/CT-MX-E.sflb.ashx) The smart people who hacked it show how it can be reconfigured to further undesirable ends, see Deactivate the rootkit – Black Hat Vegas 2009 – Exploiting Stuff: http://web.archive.org/web/20120316214910/http://exploiting.wordpress.com/2009/09/11/138/, and The BIOS-Embedded Anti-Theft Persistent Agent that Couldn’t: Handling the Ostrich Defense – Core Security Technologies http://web.archive.org/web/20120226125347/http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that -couldnt-response-handling-the-ostrich-defense/. LoJack (and some of its competitors products, of which there aren’t many) comes preinstalled in the BIOS of Acer, Asus, Dell, Fujitsu, Gateway, HP, Lenovo, Panasonic, Samsung, and Toshiba machines, among others, (product partners with model numbers are listed at http://www.absolute.com/en/partners/bios-compatibility.aspx, Intel’s anti-theft partners for consumer machines, including LoJack, are at http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-service-providers.html and for business ,including Computrace, are at http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-service-providers-enterprise.html; notebook models supported are listed in http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/anti-theft-tested-platforms-support-datasheet.pdf). While it wouldn’t make economic sense for Absolute to track a machine whose owner hasn’t paid the licensing fee, any rootkit exploiting LoJack’s weaknesses in the BIOS implementation would find it a neat way to own a machine while bypassing all OS-level protections, directing in-and-outbound traffic through servers of their choice. I’m confident the BIOS geeks at the NSA are tickled pink with it and are all up in its stuff, especially given the documented ownability of it