More and more hardware stores wish to use the NIST 800-155 specification in order to keep the firmware BIOS more secure for both PCs and laptops. However, a team of researchers belonging to the MITRE Corporation state that the approach that is being presently used relies too much on the mechanisms responsible for access control. Their reason behind this is that these mechanisms are easily bypassed currently.
The researchers plan to unveil newly developed concepts that can slyly get past the TPM (Trusted Platform Module) chip and allow it to continue believing that nothing is wrong with the software. The malware can then continue infecting the BIOS even after it has been altered in any way, for example if it has been reset or flashed. Even an update may not be able to secure the software in this case.
How the Malware Gets Passed BIOS
As of now, the BIOS flash chip contains the code required for the system TPM chips to function.They are needed so that the measurement and PCR (Platform Configuration Register) keep the BIOS from being infected. However, affecting this with the malware allows it to manipulate the PCR into changing its value, following an inconsistency between this and the TPM.
Two different malware that are said to be unveiled at Black Hat are now called the “tick” and the “flea” for their abilities to either be stealthy or be able to jump between BIOS revisions. The flea is said to be able to predict a firmware update and hide itself to be a part of the update as well.
Image courtesy of [Salvatore Vuono, wandee007] / FreeDigitalPhotos.net