“Over the years, some manufacturers have been taking steps to improve the security of BIOS, but the industry was not moving as quickly to strong security mechanisms as we would have liked, in part because there wasn’t a perceived need,” said NIST’s Andrew Regenscheid, but “without security improvements, I think we will start seeing more attacks on BIOS.”The routine is almost universal. Every day, millions of workers turn on their computers, take a second or two for a sip of coffee as their desktop or laptop “boots up,” and then get to work. In those few seconds, the basic input-output system (BIOS) of the computer loads the protocols that actually run the PC — in effect, acting the same as the shot of coffee that helps the worker wake up and start functioning. Pretty simple.
Only when it’s not.
Turns out that the BIOS function is yet another entry point for cybersecurity threats, to the degree that a federal agency has set up a program to deal with the problem and has asked for help from both the public and private sectors. The National Institute of Standards and Technology (NIST) has released the draft of a publication that provides guidance for vendors and security professionals as they work to protect personal computers in start-up mode.
The BIOS program is the first software that runs when a computer is turned on. It initializes the computer hardware before the operating system starts. Potential problems arise because it works at such a low level — before other security protections are in place — that unauthorized changes to the BIOS, either malicious or accidental, can cause a significant security threat.
“Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations,” said Andrew Regenscheid, co-author of the NIST document.
The vulnerability is “an emerging threat area,” he warned, and the potential for harm underscores the importance of detecting changes to the BIOS code and configurations, and why monitoring BIOS integrity is an important element of security.
The NIST draft publication, “BIOS Integrity Measurement Guidelines,” explains the fundamentals of BIOS integrity measurement — a way to determine if the BIOS has been altered — and how to report any changes. The publication provides detailed guidelines for hardware and software vendors that develop products to support secure BIOS integrity measurement mechanisms. It may also be of interest to organizations that are developing deployment strategies for these technologies. The agency is seeking public comment on the publication through Jan. 20.
The emergence of the threat was highlighted by Symantec (Nasdaq: SYMC) in company blog posts last year, and by NIST, which issued a document in April 2011 that provided manufacturing guidance for computer makers regarding BIOS threats. NIST has functioned as a vehicle to alert both hardware and software makers of cyberthreats and to provide technical guidance to help resolve problems.
Threat Level Viewpoints Differ
From a technical standpoint, launching a BIOS attack is not easy for Internet miscreants bent on spreading malware through computer systems, Symantec and NIST agree. But there is a difference in perspective about the future threat of BIOS attacks.
“The reality is that modern malware creators have not found BIOS attacks to be very attractive because of the diversity in legacy BIOS platforms, which tend to use non-standard proprietary designs,” Gerry Egan, director of Symantec Security Response, told CRM Buyer. “This makes a particular threat only useful against a subset of the community, which is not very attractive to everyday cybercriminals seeking the biggest bang for their buck.”
The knowledge required to create such an attack is arcane and poorly documented, Egan observed.
The infamous Stuxnet malware demonstrated that such obstacles as complexity become irrelevant if the attacker has a focused target and extensive resources, he noted — “so, the issue is real, but thus far not a materially significant one.”
NIST’s effort indicates a greater sense of urgency.
“Attacks on BIOS are relatively complex and must be highly targeted, so they have not been as prevalent as other attacks. Instead, most malware targets either the operating system or application running on a computer,” NIST’s Regenscheid told CRM Buyer.
“Over the years, some manufacturers have been taking steps to improve the security of BIOS, but the industry was not moving as quickly to strong security mechanisms as we would have liked, in part because there wasn’t a perceived need,” he said. “But targets and attacks are changing in response to improvements in operating systems and applications. Without security improvements, I think we will start seeing more attacks on BIOS.”
To some degree, that view is shared by McAfee in its 2012 report on potential cyberthreats.
“Attacking hardware and firmware is not easy, but success there would allow attackers to create persistent malware ‘images’ in network cards, hard drives, and even system BIOS,” the report points out. “We will keenly watch how attackers use these low-level functions for botnet control, perhaps migrating their control functions into graphics processor functions, the BIOS, or the master boot record.”
While computer vendors are ultimately responsible for BIOS security, according to Regenscheid, the entire hardware and software supply chain has a role to play in implementing the BIOS measurement protocol described by NIST.
“These vendors will each be responsible for different critical pieces of the overall BIOS integrity measurement system. And, of course, users and system administrators are responsible for setting up and configuring systems properly so that these mechanisms work as intended,” he said.
The NIST integrity measurement guidance is primarily intended for large organizations — either public or private. “While our documents are focused on computers intended for enterprise environments, we think some of these controls will migrate to consumer-level devices over time,” Regenscheid said.
Industry Reacted Quickly
However, actual invasion-protection mechanisms related to the BIOS at the computer manufacturing stage are not as challenging to implement as the detection and measurement protocols just outlined by NIST. As a result, large organizations have better capabilities to adopt the protocols, so adoption at the consumer level could take some time.
The industry reacted positively to the NIST “BIOS Protection Guidelines” issued in April last year, Regenscheid noted.
“That document helped call attention to this potential vulnerability, and the industry response has been amazing. Within a few months of publication, major computer vendors were already shipping products that were designed to meet the guidelines. I’m hopeful we’ll see a similar adoption of the ‘BIOS Integrity Measurement Guidelines,'” he said.
“I think there’s a role here for both NIST and industry standards groups. The NIST publications identify security requirements and properties that we think are important to have in computer systems to secure the BIOS. But we weren’t trying to design a solution. It’s up to industry and industry standards groups to determine how they will implement products that meet the guidelines,” Regenscheid stressed.
Organizations such as the Unified Extensible Firmware Interface Forum and the Trusted Computing Group will have a significant role in developing the necessary standards and specifications to create “secure and interoperable” solutions, he said.