February 2015
The Uses and Abuses of Cryptography (5 February 2015)
What Must We Trust? (16 February 2015)
Hiding in the Firmware? (19 February 2015)
Packet Loss: How the Internet Enforces Speed Limits (27 February 2015)

Hiding in the Firmware?

19 February 2015

The most interesting feature of the newly-described "Equation Group" attacks has been the ability to hide malware in disk drive firmware. The threat is ghastly: you can wipe the disk and reinstall the operating system, but the modified firmware in the disk controller can reinstall nasties. A common response has been to suggest that firmware shouldn’t be modifiable unless a physical switch is activated. It’s a reasonable thought, but it’s a lot harder to implement than it seems, especially for the machines of most interest to nation-state attackers.

One problem is where this switch should be. It’s easy enough on a desktop or even a laptop to have a physical switch somewhere. (I’ve read that some Chromebooks actually have such a thing.) It’s a lot harder to find a good spot on a smartphone, where space is very precious. The switch should be very difficult to operate by accident, but findable by ordinary users when needed. (This means that a switch on the bottom is probably a bad idea, since people will be turning their devices over constantly, moving between the help page that explains where the switch is and the bottom to try to find it….) There will also be the usual percentage of people who simply obey the prompts to flip the switch because of course the update they’ve just received is legitimate…

A bigger problem is that modern computers have lots of processors, each of which has its own firmware. Your keyboard has a CPU. Your network cards have CPUs. Your flash drives and SD cards have CPUs. Your laptop’s webcam has a CPU. All of these CPUs have firmware; all can be targeted by malware. And if we’re going to use a physical switch to protect them, we either need a separate switch for each device or a way for a single switch to control all of these CPUs. Doing that probably requires special signals on various internal buses, and possibly new interface standards.

The biggest problem, though, is with all of the computers that the net utterly relies on, but that most uesrs never see: the servers. Many companies have them: rows of tall racks, each filled with anonymous "pizza boxes". This is where your data lives: your email, your files, your passwords, and more. There are many of them, and they’re not updated by someone going up to each one and clicking "OK" to a Windows Update prompt. Instead, a sysadmin (probably an underpaid underappreciated, overstressed sysadmin) runs a script that will update them all, on a carefully planned schedule. Flip a switch? The data center with all of these racks may be in another state!

If you’re a techie, you’re already thinking of solutions. Perhaps we need another processor, one that would enable all sorts of things like firmware update. As it turns out, most servers already have a special management processor called IPMI (Intelligent Platform Management Interface). It would be the perfect way to control firmware updates, too, except for one thing: IPMI itself has serious security issues

A real solution will take a few years to devise, and many more to roll out. Until then, the best hope is for Microsoft, Apple, and the various Linux distributions to really harden any interfaces that provide convenient ways for malware to issue strange commands to the disk. And that is itself a very hard problem.



Update: Dan Farmer, who has done a lot of work on IPMI security, points out that the protocol is IPMI, but the processor it runs on is the BMC (Baseboard Management Controller.
https://www.cs.columbia.edu/~smb/blog/2015-02/2015-02-19.html