Intel Security has launched a new security tool that can scan the firmware of systems targeted by exploits detailed in WikiLeaks’ Vault7 ‘Year 0′ dump last week. Chipsec has been updated in response to what Wikileaks has called the largest store of confidential documents and tools from the US Central Intelligence Agency (CIA) in history. IT security experts from DomainTools and ESET commented below.
Tim Helming, Director, Product Management at DomainTools:
“CHIPSEC seeks to give the admin a chance to detect and remedy the problem by putting a clean EFI image on the machine. This is not a trivial task to undertake, but that’s the aim of CHIPSEC. This is an advanced technique, not a “script kiddie” one, so these attacks would likely be carried out by high-capability organizations.
Although CHIPSEC may be a useful tool to organisations looking to further protect systems, it’s not something that appears to be highly scalable/automatable and it’s not something the average user is going to run themselves. But for securing high-value targets such as executives’ or R&D peoples’ machines, it could prove very useful.
Threat hunting is becoming a more common and mature practice to mitigate systems with an infected UEFI firmware, and it begins with a mindset: “We assume badness is inside the organization. We’re going to go find it.” Organisations should be aggressively collecting logs, extracting indicators such as domain names, IP addresses, binaries that crossed the wire, etc, and looking for evidence of evil. Said evidence may in some cases point back to machines compromised at a low level, including the EFI.”
Mark James, IT Security Specialist at ESET:
“The UEFI BIOS has been a place of interest for a while, if infected it allows the attacker to inject code in places that may not be so easily accessed from normal methods. It also could allow re-injection after hard drive wipes, something that is often identified as “a clean way to start again”. The end user may not have the means to identify or even understand these threats and even if they did, cleaning them is another matter altogether.
In theory a simple rewrite of the BIOS should remove the infected firmware. Writing the firmware these days is a lot easier than in previous years and with the right software anyone could do it. Businesses need to consider all attack vectors no matter how small or insignificant they appear to be. Any tools that could be used to strengthen your defences should be used and incorporated sooner rather than later. It’s better to have it in place and not need it than to wish you had implemented after a serious breach, multi-layered defences are the only way you will thwart the bad guys.”