New Intel firmware boot verification bypass enables low-level backdoors

By replacing a PC's SPI flash chip with one that contains rogue code, an attacker can can gain full, persistent access.

Lucian Constantin May 13th 2019 A-A+

Researchers have found a new way to defeat the boot verification process for some Intel-based systems, but the technique can also impact other platforms and can be used to compromise machines in a stealthy and persistent way.

Researchers Peter Bosch and Trammell Hudson presented a time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel's reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week.

Boot Guard is a technology that was added in Intel Core 4th generation microarchitecture -- also known as Haswell -- and is meant to provide assurance that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts.

Bosch, an independent researcher and computer science student at Leiden University in the Netherlands, discovered an anomaly in the Boot Guard verification process while he was trying to find a way to use the open-source Coreboot firmware on his own laptop. In particular, he noticed that after the system verified the firmware and created a validated copy in cache, it later re-read modules from the original copy located in the Serial Peripheral Interface (SPI) memory chip -- the chip that stores the UEFI code.

This isn't correct behavior, because the system should only rely on the verified copy after the cryptographic checks are passed. This made Bosch think there might be an opportunity for an attacker to modify the firmware code after it's been verified and before it's incorrectly re-read from SPI memory. He took his findings and an early proof-of-concept implementation to Trammell Hudson, a well-known hardware and firmware researcher whose previous work includes the Thunderstrike attacks against Apple's Thunderbolt technology.

Hudson confirmed Bosch's findings and together worked on an attack that involves attaching a programming device to the flash memory chip to respond with malicious code when the CPU attempts to reread firmware modules from SPI memory instead of the validated copy. The result is that malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent.

While the attack requires opening the laptop case to attach clip-on connectors to the chip, there are ways to make it permanent, such as replacing the SPI chip with a rogue one that emulates the UEFI and also serves malicious code. In fact, Hudson has already designed such an emulator chip that has the same dimensions as a real SPI flash chip and could easily pass as one upon visual inspection if some plastic coating is added to it.

What are the implications of such TOCTOU attacks?

The Intel Boot Guard and Secure Boot features were created to prevent attackers from injecting malware into the UEFI or other components loaded during the booting process such as the OS bootloader or the kernel. Such malware programs have existed for a long time and are called boot rootkits, or bootkits, and attackers have used them because they are very persistent and hard to remove. That's because they re-infect the operating system after every reboot before any antivirus program has a chance to start and detect them.

In its chip-swapping variant, Hudson's and Bosch's attack acts like a persistent hardware-based bootkit. It can be used to steal disk encryption passwords and other sensitive information from the system and it's very hard to detect without opening the device and closely inspecting its motherboard.

Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information.

Such a physical compromise could occur in different ways, for example in an Evil-Maid-type scenario where a high value target, like a company's CEO, travels to a foreign country and leaves their laptop unattended in their hotel room. Bosch tells CSO that replacing the SPI memory chip with a rogue one designed to execute this attack would take 15 to 20 minutes for an experienced attacker with the right equipment.

Another possibility are supply chain attacks or the so-called "interdiction" techniques where computer shipments are intercepted in transit, for example by an intelligence agency, are backdoored and then resealed to hide any tampering. The documents leaked by Edward Snowden showed that the NSA uses such techniques, and it is likely not the only intelligence agency to do so.

Some devices do have tamper-evident seals or mechanisms, but someone with the right resources and knowledge can easily bypass those defenses, Bosch tells CSO.

Malicious employees could also use this technique on their work-issued laptops to either bypass access controls and gain administrator privileges or to maintain access to the company's data and network after they leave the company. Such a compromise would survive the computer being wiped and being put back into use.

There have been several cases over the years of economic espionage where employees working for various companies were caught stealing trade secrets and passing them to foreign governments or to competitors.

What is the mitigation?

The two researchers notified Intel of their findings in January and tell CSO that the chipmaker treated the issue seriously and assigned a high severity to it. The company already has patches available for its reference UEFI implementation -- known as Tianocore -- that it shares with BIOS vendors and PC manufacturers. The researchers haven't yet tested the fixes, but at least based on the description they seem comprehensive and should prevent similar attacks in the future.

The problem is that distributing UEFI patches has never been an easy process. Intel shares its UEFI kit with UEFI/BIOS vendors who have contracts with various PC manufacturers. Those OEMs then make their own firmware customizations before they ship it inside their products. This means that any subsequent fixes require collaboration and coordination from all involved parties, not to mention end users who need to actually care enough to install those UEFI updates.

The patches for the critical Meltdown and Spectre vulnerabilities that affected Intel CPUs also required UEFI updates and it took months for some PC vendors to release them for their affected products. Many models never received the patches in the form of UEFI updates because their manufacturers no longer supported them.

The two researchers plan to release their proof-of-concept code in the following months as part of a tool called SPISpy that they hope will help other researchers and interested parties to check if their own machines are vulnerable and to investigate similar issues on other platforms.

"I would really like to see the industry move towards opening the source to their firmware, to make it more easy to verify its correctness and security," says Bosch.