Potential new BIOS security attacks are being analyzed by security researchers with possible POC malware demonstrated at the next Black Hat convention this summer
QUOTE: As more hardware vendors seek to implement the new NIST 800-155 specification that was designed to make the start-up BIOS firmware on our PCs and laptops more secure, they may need to rethink the security assumptions upon which the standard depends. A trio of researchers from The MITRE Corp. say that the current approach relies too heavily on access control mechanisms that can easily be bypassed. The researchers are taking their message to Black Hat USA later this summer in a talk where they plan to unveil new malware proofs-of-concept that can trick an endpoint’s Trusted Platform Module (TPM) chip into thinking the BIOS firmware is clean and can persist infecting the BIOS after it has been flashed, or reset, or even after it has been updated.
“The first one we’re going to introduce is called the tick, which is a stealth malware that lives in the firmware, so it’s persistent past reflashes and is able to forge the TPM’s PCR values to provide a known good expected value,” Butterworth says. “The second one we’ll introduce what we call the flea because it is able to jump from one BIOS revision to the next. Whereas the tick can easily be removed if you simply update or upgrade your BIOS revision, the flea is actually able to sense that firmware is about to be updated and is able to clone itself into the update image.”