Millions Of Gigabyte, Acer, MSI, HP, Asus, And More Motherboards Vulnerable To LightEater Malware.
Two minutes. That is how long security researchers Corey Kallenberg and Xeno Kopvah have found that it takes to make a computer completely useless. The team presented at CanSecWest Vancouver 2015 “How many million BIOSes would you like to infect?” where they demonstrated even an unskilled script kiddie could turn a computer into an expensive door stop. The researchers showed that all they had to do place an invalid instruction in the first position the computer reads upon boot up and they could make the computer never boot again. As usually, the extent of this vulnerability is actually worse. Instead of rendering the computer into a giant metal brick a hostile actor could also steal passwords and encrypted data. This means that the cleaning crew, law enforcement, or the border and customs agent only needs a few moments with your computer to implant the tools necessary to steal data off the computer. LightEater is even able to get around the isolation Tails or other boot from USB drive operating systems were thought to offer.
The culprit is the Unified Extensible Firmware Interface (UEFI) that most computers use as a basic building block to start-up the computer. Kopvah told The Register in an interview that, “Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected.” Due to the common code used for this part of a computer the ability to create an exploit that works for a large number of systems is possible. This means that the payoff for targeting the UEFI and Basic Input/Output System or BIOS is very high.
Upgrading or patching the BIOS is often overlooked by home users all the way up to large organizations. Although many manufactures have provided patches or updates, users fail to download and install them.