A Computer Infection that Can Never Be Cured
A hacker demonstrates that code can be hidden inside a new computer to put it forever under remote control, even after upgrades to the hard drive or operating system.
As the manufacturing of computers and other gadgets has migrated to China, an occasional paranoid voice has asked whether the country might be tempted to preinstall software for surveillance. This remains a far-fetched notion, but now a French hacker has at least shown how such a covert back door could be created.
At the Black Hat security conference in Las Vegas last week, Jonathan Brossard demonstrated software that can be hidden deep inside the hardware of a PC, creating a back door that would allow secret remote access over the Internet. His secret entrance can’t even be closed by switching a PC’s hard disk or reinstalling its operating system.
Corporate and government-sponsored computer espionage is a growing problem, and hackers are using ever more sophisticated methods to bypass security ramparts. A congressional report, published in March this year, concluded that electronics manufactured in China posed a “potential” threat to U.S. communication systems, but there is no evidence of attempted espionage by hiding surveillance tools inside new equipment to date.
Brossard’s backdoor tool, dubbed Rakshasa, needs to be installed into the BIOS chip on a PC’s motherboard, on which the main processor and other core components are mounted. A computer’s BIOS chip contains the first code, known as firmware, which a computer runs when it is powered on to start the process of booting up the operating system. Brossard also found he could hide his malicious code inside chips of other hardware components such as network cards, and have it jump into the BIOS when necessary.
“If someone puts a single rogue firmware on your machine, he basically owns you forever,” Brossard told an audience of fellow hackers and computer security professionals at Black Hat.
When a PC with Rakshasa installed is switched on, the software looks for an Internet connection to fetch the small amount of code it needs to compromise the computer. If Rakshasa can’t get an Internet connection, it can’t operate.
The design makes Rakshasa extra stealthy. “For a nation-state-quality back door, think Flame or Stuxnet, we want plausible deniability,” explained Brossard, referring to malware that experts believe was created by government-sponsored hackers. “If you fetch over the Internet every time, we don’t leave a trace on the file system.”
The code Rakshasa fetches is used to disable a series of security controls that limit what changes low-level code can make to the high-level operating system and memory of a computer. Then, as the computer’s operating system is booted up, Rakshasa uses the powers it has granted itself to inject code into key parts of the operating system. Such code can be used to disable user controls, or steal passwords and other data to send back to the person controlling Rakshasa.
In an onstage demonstration at Black Hat, Brossard proved his idea works by having Rakshasa boot a computer with Windows 7 installed and override its password authentication. A person chosen from the audience was then able to use a randomly chosen password to log into the admin account.
Brossard built Rakshasa by combining several legitimate open-source software packages for altering firmware. Due to the efforts of programmers that have contributed to those projects, Rakshasa works on 230 different models of motherboard, says Brossard. It likely works on many more models of PC, since it is common for a manufacturer to use the same motherboard model in many different PC models.
Because Rakshasa only ever resides inside motherboard chips, it is safely out of view of antivirus software and resilient to the most common responses by IT staff cleaning up a badly infected PC.
“Even if you change your hard drive or change your OS, you’re still very much going to be owned,” said Brossard, who has tested the code that Rakshasa fetches against a standard battery of 43 antivirus programs and found that none flagged it as dangerous.
Of course, deploying Rakshasa would require getting access to the motherboard of a computer, perhaps in a factory or warehouse. “Another attack scenario is you buy a new network card and get back-doored,” said Brossard, because of the way Rakshasa can jump from other components into the BIOS.
Anyone fearing a Rakshasa-style attack would need to replace the firmware on the chips of the motherboard and other components with versions known to be safe.
The attack can work on PCs with any kind of processor, but many of the standard features of PC motherboards originated with Intel. Suzy Greenberg, a spokeswoman for that company, said in an e-mail that Brossard’s paper was “largely theoretical,” since it did not specify how an attacker would insert Rakshasa onto a system, and did not take into account that many new BIOS chips have cryptographically verified code that would prevent it from working.
However, Brossard notes that this added layer of protection is available only on a minority of PCs so far, and that an organization with access to PC manufacturing or distribution would have many opportunities to install Rakshasa-style software.