Over at last week's CanSecWest security conference, Corey Kallenberg and Xeno Kovah demonstrated how surprisingly easy it is to infect the BIOS of millions of vulnerable computers.
Little attention is given to BIOS security, there's a lot of code reuse across UEFI BIOSes and the researchers claim almost every BIOS in the wild is affected by at least one vulnerability that can be exploited.
Using a tool named LightEater, even an unskilled person can infect a PC in a mere two minutes if he has physical access to it. Attacks over the internet are possible as well, but will require more sophistication as attackers will first need to gain access to your system via another vulnerability.
Security experts Kallenberg and Kovah explained some BIOSes are woefully insecure and do nothing to prevent attacks.
Even if hardware makers fix the issues, the big problem is that almost no one pays attention to the BIOS. The duo pointed out that using a security-focused OS like Tails that promises to leave no trace on your computer doesn't help if your BIOS is infected. And these infections can linger for a long time because they're hard to detect and don't go away after a format.
At this point there's no evidence cyber criminals are using this technique on a large scale but leaked documents from Edward Snowden illustrate the NSA has been exploiting this vector for a while.
Kopvah says misconfigured BIOS access controls present more of a threat than vulnerabilities such as exploitable buffer overflows.
Those flaws are homogeneous. Using tiny signatures built from 10 machines the pair found the code hooks attackers need to build reliable SMM implants across thousands of BIOS images.
"This shows empirically that attackers wouldn't have to reverse engineer each BIOS model or revision. Simple pattern matching can make it so that tools can just assemble BIOS implants for any model on demand," Kopvah says, adding he expects that attackers already know this.