Why a software security suite isn’t enough

Hacker typing on a keyboard
(Image credit: Bigstock)

Many PC users and even many business IT decision makers believe that PC security begins and ends with anti-virus software and the built-in Windows Firewall. At best, they rely on their network-level measures and on a more comprehensive PC security suite. That's fine in the sense that internet security software will provide a good level of protection against intrusion and malware in its most common forms. Even free anti-virus programs score high marks in credible test lab reports, while the paid-for options will give you additional web protection features, a dedicated firewall and more.

Yet even the most advanced internet security suites have a problem: they can only protect the PC above the operating system layer. That's enough to protect your PC against mainstream attacks, but without protecting the firmware the BIOS that runs underneath. Unfortunately, that's exactly what a growing number of attacks are now targeting, and if those attacks are successful, the results can be catastrophic.

Attacking the BIOS

Why is firmware such a tempting target? Well, on a PC, it's the set of low-level instructions that load when your PC boots, providing the basic functionality needed to get the core components up and running, handle input and output and put everything in place for the operating system to launch. The problem is that it's still vulnerable. During bootup, System Management Mode is loaded into System Management RAM by the memory controller, where it's inaccessible to the operating system. If malware is injected into the BIOS and passed on to System Management Mode and the System Management RAM, it gains power over basic PC functions and is virtually undetectable.

This kind of attack takes concerted effort, but the benefits to the hacker make that effort worthwhile. As the firmware operates below the operating system level, the normal mechanisms for detecting malware can't monitor or examine it. If an attacker can replace the BIOS with a modified, infected version, it might operate for years, even indefinitely, before anyone realises it's been compromised. And because the firmware controls the whole system at a low level, firmware exploits are able to bypass OS-level security measures, attack other vulnerabilities and even act as a gateway for further malware. What's more, an infected firmware can easily brick' devices, rendering them completely inoperable.

Perhaps most worryingly, these attacks create a persistent platform for malware. You can clean viruses off the system, replace hard drives and even reinstall the operating system, but infected firmware can keep re-installing malware until the firmware itself is replaced. Like a creepy serial killer in an eighties horror movie, you can kill the malware a dozen times but it will keep on coming back.

The one good thing about firmware attacks is that they've historically proved relatively difficult to pull off, well beyond the capabilities of the average script- kiddie' hacker or off-the-shelf malware toolkit. As a result, many security specialists once regarded them as a theoretical threat rather than a practical concern. Sadly, that's no longer the case. Tools understood to have been developed by electronic surveillance specialists Hacking Team for the US National Security Agency have leaked out to the wider community. One includes features to replace the BIOS on PCs or servers, install further malware modules and provide stealth control functions for them, so that they can operate under the radar for years. Another tool modified the UEFI BIOS of modern PCs so that it silently reinstalled surveillance tools even if the system's hard drive was wiped clean and replaced.

Security researchers have found other vulnerabilities independently. In 2015 Trammell Hudson demonstrated Thunderstrike: a bootkit that infects the EFI firmware of Apple computers, allowing malicious software to propagate through Thunderbolt devices and flash modified code to the boot ROM. In the same year two researchers at LegbaCore, Xeno Kovah and Corey Kallenberg, presented LightEater: a concept attack that could remotely infect the BIOS of a wide range of PCs from various brands, using a script to bypass protections and flag-up unpatched vulnerabilities. These could then be used to hijack System Management Mode.

The attack code involved wouldn't be hard to deliver, involving nothing more than a link in a phishing email or two minutes' work with physical access to a machine. It could be used to install further malware, steal passwords and access all data and code passing through the PC's memory. As Kovah put it, "Our SMM attacker lives in a place nobody checks today to see if there's an attacker... System Management Mode can read everyone's RAM, but nobody can read System Management Mode's RAM."

Resilience and Protection

So, these threats are real and your anti-virus software won't protect against them. What can you do? Well, HP offers one solution. New HP business PCs and laptops, such as the Windows 10-enabled Elite range, have a built-in feature, HP Sure Start, which gives them the ability to both detect a successful firmware attack and recover from it.

First, Sure Start checks and monitors the BIOS code in system flash RAM that's executed at boot, to ensure that it hasn't been modified or replaced. Then, if it detects any sign of tampering, it calls a halt to the boot-up process and restores a last-known good version of the BIOS from a secure copy held in a dedicated HP Sure Start flash RAM, and notifies the systems administrator and/or user. What's more, it monitors BIOS settings to ensure that these aren't modified without authorisation, logging any attempts to modify and sending further alerts. What's more, as HP also uses BIOS whitelisting to ensure that only known, good firmware can be installed, it's exponentially more difficult for an attacker to install their own custom firmware, even if they have physical access to your PC.

As more firmware-level attacks emerge, regular firmware updates and patches are likely to become a crucial element of PC security in the future, and it's crucial that businesses understand these vulnerabilities and why their existing security provisions won't guard against them. However, with technologies like Sure Start on-board, PCs have a built-in layer of resilience that will enable them to shrug off these below OS-level attacks.

Find out more about HP Sure Start protection.

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.