2014 January

January 2014

BIOS Attacks Coming to a PLC or RTU near you

The Basic Input/Output System (BIOS) on all computing and embedded devices provides the firmware that governs how the device is to boot and function. The BIOS initializes and tests the system hardware components, and provides the mechanism for the computer to load a bootloader or an operating system from a mass memory device. The BIOS also provides an abstraction layer for the hardware so that the software or operating system running on the system communicates to the BIOS as a proxy to the hardware. BIOS software is stored in the non-volatile ROM chip on the motherboard, and is usually written as a custom firmware for the specific hardware it is installed in.  However, because of standardization in personal computer vendors, many vendors share common BIOS platforms.  Because of this standardization, there are a finite number of BIOS platforms on the market, and probably less than 100 in the world.

Because the BIOS operates outside of the operating system, and has access to all of the system hardware, inputs, and outputs, it makes an excellent location to hide low-level malware that will never be detected or be able to be removed by the operating system.  Although this topic of BIOS root kits and BIOS malware is gaining attention recently, hiding malware in the BIOS is not a new idea. In fact a recent article in Dark Reading (http://www.darkreading.com/advanced-threats/research-into-bios-attacks-underscores-t/240163919?cid=NL_DR_Weekly_240163919&elq=333fe90fb0304ad2baa2c50403ddb588) mentions that: “In 1998, the CIH, or Chernobyl, virus infected Windows 98 systems and attempted to reflash the BIOS, the basic input/output system, on vulnerabile motherboards. Since then, only a smattering of researchers and attackers have focused on attempting to compromise the low-level system components: In 2006, for example, a researcher demonstrated ways that the Advanced Configuration and Power Interface (ACPI) on newer motherboards could be used as a high-level language to infect the BIOS. The article goes on to say “A major part of the issue is that the developers who write code for BIOS, firmware, and embedded devices are generally not practiced in writing secure code, says Robert Graham, CEO of security consultancy Errata Security.”

Now take the above information into mind and translate that to what we know about embedded devices used in SCADA / ICS environments like PLCs (Programmable Logic Controllers) and RTUs (Remote Terminal Units).  These systems are usually designed by control system developers that typically are not trained in secure coding practices, and in many cases, they simply borrow or buy firmware from other 3rd party companies – many who operate in Asian countries.

My prediction is that there may already be BIOS rootkits, BIOS malware, and BIOS attacks already being developed by nation states with large pockets and access to the SCADA / ICS Supply Chain. I also predict that our own US government may be working on BIOS based malware. Time will only tell if my predictions come true, but I would bet that we have multiple devices already functioning in critical infrastructure applications around the world today that are either already infected with latent BIOS malware, or are susceptible to BIOS attacks.

Food for thought while you sip on your morning coffee…



Leave a Reply