Firmware / Bios Malware & Refurbished PC's

hdmi · Mar 2, 2024

Some time after I had graduated in IT, for just a little while I used to refurbish old desktop PCs, strip down old servers with a hammer and chisel, destroy HDDs with an even bigger hammer, handle quality control + testing + sales + aftersales of refurbished desktop PCs, perform quick repairs of any old desktop PCs that were brought into the shop, etc. at a Not-for-profit organization. For my own personal hobby type stuff I have strictly been buying mid-priced (499 – 829 Euros) unused, new, 15 inch Windows laptops since 2009 (and one cheap Intel Atom N270 based netbook in 2010 that I used as a separate music playback machine mainly back then just so I could reboot/mess around with my laptop and not have to worry about interrupting the music). I always buy another new laptop every ~3 years, and, each time when this happens, even if it still works, it usually doesn't take very long before the old one gets retired simply because, TBH, I get bored watching it crawl. Paint starts to dry, and grass growing. I mean, the new one does everything I want so much faster in direct comparison to it, it's no longer worth the hassle. So, I don't refurbish it, as I am the laziest person on Earth (and most of the galaxy). Instead, I keep it on a shelf (typically on top of all the other retired ones, lol) just in case the new one breaks. But if the new one breaks, say, after two years and a half, then probably I'll shop around for another new one. You know. I think it's my best talent! lol

KingDing · Mar 2, 2024

I've heard no mention of any software mitigations or malware analysis to address this topic.

It seems to be a very touchy subject for some here?

The prevalence and frequency of bios/firmware malware is not going down, it is going up.

Is this incorrect?

Surely - exploring the steps we need to tale to address this is worth discussing?

Try3 · Mar 2, 2024

KingDing said:
It seems to be a very touchy subject for some here?

I don't think so.
I think it's just that none of us know about the subject.

KingDing said:
Is this incorrect?

I don't know.
You know at least as much as anybody else here. Probably more.

KingDing said:
Surely - exploring the steps we need to tale to address this is worth discussing?

I don't know.
I don't even know if there are any steps we can take to address this.

All the best,
Denis

glasskuter · Mar 2, 2024

Try3 said:
don't even know if there are any steps we can take to address this.

From the tons of reading and the ounce of understanding I have gained from it, on an infected machine Black Lotus inserts its into the EFI partition, NOT the uefi firmware..
Only the revocations are added there. The best easiest to understand information I've found is from the US Dept. of Defense in their guide.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjh1dXa5NWEAxWUNEQIHVLJA_gQFnoECBEQAQ&url=https%3A%2F%2Fmedia.defense.gov%2F2023%2FJun%2F22%2F2003245723%2F-1%2F-1%2F0%2FCSI_BlackLotus_Mitigation_Guide.PDF&usg=AOvVaw0rBYPSXC9JSXwgjjKHUs-U&opi=89978449

Reformatting will get rid of it.
per this MS statement If a device is determined to have been infected with BlackLotus, the device should be removed from the network and reformatted (both the OS partition and EFI partition) or restored from a known clean backup that includes the EFI partition.
reference- Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign | Microsoft Security Blog

KingDing · Mar 2, 2024

glasskuter said:
From the tons of reading and the ounce of understanding I have gained from it, on an infected machine Black Lotus inserts its into the EFI partition, NOT the uefi firmware..
Only the revocations are added there. The best easiest to understand information I've found is from the US Dept. of Defense in their guide.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjh1dXa5NWEAxWUNEQIHVLJA_gQFnoECBEQAQ&url=https%3A%2F%2Fmedia.defense.gov%2F2023%2FJun%2F22%2F2003245723%2F-1%2F-1%2F0%2FCSI_BlackLotus_Mitigation_Guide.PDF&usg=AOvVaw0rBYPSXC9JSXwgjjKHUs-U&opi=89978449

Reformatting will get rid of it.
per this MS statement If a device is determined to have been infected with BlackLotus, the device should be removed from the network and reformatted (both the OS partition and EFI partition) or restored from a known clean backup that includes the EFI partition.
reference- Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign | Microsoft Security Blog

Now we're getting somewhere.

Outstanding response.

So, a question raised by the above, shows there is guidance available, and that its is being provided (so there must be a reason).

I think it is a legitimate to begin opening up this topic.

I too remember when bios chips could be swapped out or sent back for reflashing. However (as another mentioned) they are now soldered to the board.

A legitimate way forward is to ask, if you retry to flash a bios (even with the same ver) does it overwrite any bad code on the bios chip?

glasskuter · Mar 2, 2024

KingDing said:
if you retry to flash a bios (even with the same ver) does it overwrite any bad code on the bios chip?

My understanding is...it does not. A special portion of the UEFI bios memory has been set aside for the secure boot revocations. Once the revocations are applied they are stored in this special place. Another part of the bios chip memory is where the actual UEFI version is stored. If you update your bios version it goes to its own part of uefi memory, having no effect on th part set aside for the revocations..

But I believe you are under the misassumption that black lotus inserts in to the UEFI bios. It does NOT. It inserts itself into the bootloader in EFI partition on the system drive.

If secure boot is turned off, the revocations are not applied (which means they are not stored in UEFI) and the door is open for Black Lotus to get thru to the bootloader.

If secure boot is ON, once the revocations ARE applied they are stored in this special reserved part of UEFI memory and block (or at least MS says they do) Black Lotus from getting through secure boot. Once the revocations are in this special reserved portion of the bios chip memory, they reside there forever and will always protect against black lotus if secure boot is turned on. Nothing (not even a bios update) gets rid of the revocations except replacing the chip itself (or if MS overwrites them with a future update).

If one turns OFF secure boot, the revocations never come into play, so the door is opened again for black lotus to get in.

If my understanding about this process is incorrect or too simple, please correct me.

neves · Mar 2, 2024

KingDing said:
I've heard no mention of any software mitigations or malware analysis to address this topic.

It seems to be a very touchy subject for some here?

The prevalence and frequency of bios/firmware malware is not going down, it is going up.

Is this incorrect?

Surely - exploring the steps we need to tale to address this is worth discussing?

Every human on this planet, especially professionals in some field - who've reached a certain age/experience - will address an issue "with what they know (or even with what they don't know - if the subject in question is tied to some religious belief - a belief they practiced most of they life - which is now being question for whatever reason)". That being said, if you're not getting the answers you're looking for - the fault is on you. The forum in question is dedicated to Windows 11 - be it stable or beta/testing releases. Windows is the most common Operating System but also the most user friendly - PC wise (cause for mobile phones - almost every OS is user friendly). Correction (since it's not entirely accurate) - for past 20+ years - Windows was the most affordable user friendly Operating System - cause OSX was actually the most dumbed down Operating System - but that came with overpriced dedicated hardware - and thus, most end-up choosing Windows (which was also easy to pirate in a time when most Windows users - didn't afford a license costing half their custom built PC).

The topic and subject in question (firmware infections) - is both to advanced and also rarely experienced by most Windows users - be it a basic user, advanced or professional in general sense (having the knowledge and experience to put together a system that can run Windows - while also capable to install the necessary software - where security wise most would deem the integrated AV as being enough or use a 3rd party AV - tho, the home user version). Another way to put it, it's like being infected with some unknown virus - and instead of going to a hospital that's specialized in all types of infections - you go your local doctor, and... even get more or less pissed that the general advises and medicine you've been given are not sufficient for your type of issue (which requires specialized help).

That being said, most Windows user - if they have a firmware infection - one which is undetectable by their current home level of security... they won't know. Unless they have a high enough financial status - they probably won't even be affected. To correct myself again... at least that was the general truth up to this point, as in - A.I. might change that - might make this level of infection more accessible to petty thieves. And that's just it - up to this point - the skill to infect or exploit vulnerable firmware or UEFI - was either rather high or a risky opportunity (an employee at some major corporation or even some IT guy from a local service). Even an acquaintance could posse such danger - but this cases rarely get known. It takes some infection at a large scale - for that to reach the news. On the other hand, even tho - this is usually a professional secret - major companies do pose a larger risk - and that's where you'd find such victims (more often - at least).

So hey, you want better security - as it usually goes - that comes at premium price. As in, at least 10x or 20x but even 40x the price of a 3rd party security solution meant for home use. And to be fair, it's worth it -since the losses could be 100x or even around 10.000x that price (if not more). If you're American - Crowdstrike seems rather popular in U.S. - Here: Endpoint, Cloud & Identity Protection Products | CrowdStrike Not my field of expertise - but looking at their offers - the Pro version, despite its 10x price of $499.95 (compared to a home user AV) - doesn't seem that much different than a top tier home AV:

What you get:

Next-gen antivirus
Device control
Integrated threat intelligence
Firewall management
CrowdStrike Marketplace

Tho, Falcon Enterprise at an annual price of $924.95* - is a different story:
Unify all security tools to provide a single source of truth: next-gen antivirus, EDR, XDR (this particular feature - scans the firmware and compares it with the original - to make sure there's no tampering), managed threat hunting and integrated threat intelligence.

Fancy marketing, sure. But that's usually what it takes (again, A.I. might change that). Crowdstrike was also chosen by guys like Intel and Dell - so that to has a saying in their success. There's definitely no easy step by step guide - so you either pay for it (and that's where a company like Crowdstrike - tho, you can always do some research and chose another), or learn Best Cybersecurity Courses Online with Certificates [2024] | Coursera . Supposedly, reinstalling the BIOS and Firmware on every machine - could help, but there's no one size fits all (every OEM has its own way of doing things - even if sometimes it's similar or identical). You'll have to do the research for every machine you have (with 5% - 10% of bricking a machine - and then you'll need the expertise of a real IT Guy).

Last but not least (and this is actually why it's far from ideal to chose a general Windows forum - to dabble in a subject like BIOS/Firmware tampering/infections and expect specialized responses - as if Windows and cybersecurity goes hand in hand) - if you do simple search on a site dedicated to news about this type of issues - you're sure to find an objective answer about the overall status of Firmware infections:

https://www.bleepingcomputer.com/search/?cx=partner-pub-0920899300397823%3A3529943228&cof=FORID%3A10&ie=UTF-8&q=firmware+malware

hdmi · Mar 2, 2024

The rarest of them all are those companies that know that they got infected. It matters also because the most common types of old PCs that not only are donated to Not-for-profit organizations, but also are still worth the time and effort spent on refurbishment are types that are donated by companies. That's just because these types of donations typically consist of a whole van full (or almost) of PCs each one of which uses the same (or almost) hardware so as a result you don't have to jump through too many burning hoops to refurbish each individual PC, as this is precisely what allows them to be refurbished in bulk as much as possible. In addition to this, there also is the false assumption that these types of infections happen only rarely. New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats | Microsoft Security Blog
Worse, there is no secret about the fact that hackers frequently target unsuspecting home users who still rely on old and outdated, poor, hardware security, because these are such an easy target. The reason why advanced hackers often tend to do this is actually really simple. It's because they can then add all these infected PCs to a botnet to control them of course. Like, thousands upon thousands of 'em, to build an army of bots that enables these hackers to hide their identity behind it when they use it to attack a person who has high enough financial status, a major company, etc.. Home users whose financial budget is tight also fall victim to scams like phishing attacks (and phishing attacks used in conjunction with social engineering) a lot, as these home users often don't know how to protect their privacy. Just like they often don't know why they should protect their privacy e.g. because they have many other things to worry about instead, such as the fact that they don't have the money that they could spend toward making more of their problems go away.

KingDing · Mar 6, 2024

Your point is well taken.

The data is clear.

The prevalence of these types of attacks (through this attack vector) is only going up.

Now, the question is, what new practices and approaches do need to start engaging in when refurbing/fixing/formatting + re-installing the average PC used by friends/family?

I posit that there may already be stirrings about this new reality, with certain anti malware products. Maybe its time to bring these to prominence.

So - i'm asking.

Has anyone in the community faced firmware/bios malware in their experience. What tools/approaches did you develop to mitigate against them. What tools are out there that can be used by your average (non-enterprise) IT tech?

glasskuter · Mar 6, 2024

KingDing said:
Has anyone in the community faced firmware/bios malware in their experience

No I have not. I base my personal opinion on the threads I referenced from MS and US DOD and my understanding about how Black Lotus works and how the secure boot revocations combat letting it get in..
Based on that understanding, I am not concerned about how to deal with any system I refurb until further information is available that might change my mind.

andrew129260 · Mar 6, 2024

There are firmware malware that exist, but again detecting it would be very difficult. As I said, I don't personally think it's on the rise for average users, I think its been the same as it always has in number. I think governments are surely using it, and some are surely attacking other countries no doubt. But I really don't consider anything like this to affect the average user. There are studies stating it has been on the rise for companies, but most of this was router, AP's and switcher firmware being attacked, not PC's.

There is not enough information out there or enough tools to even look into this seriously, so I don't think it's worth stressing about. Firmware malware is not easy to create or a common threat.

Again, AI could change this but we are talking hypotheticals here and are honestly just are a bit too paranoid at this point.

An average user is more at risk from scams and phishing than any firmware attack or malware. Gullible people are where the money is, which is the motivation for almost all attacks.

Short answer, what can you do about a firmware attack?

Other than flashing the bios from the company website, disabling rollback, (which again might do nothing at all, as it can hide elsewhere) using rootkit scanners etc

Nothing.

Manufacturers would need to fix this, and pour resources into making security number one for bios and firmware. And just like router security is a giant joke, nothing will change until its forced too.

hdmi · Mar 7, 2024

andrew129260 said:
{snip}
...

Firmware malware is not easy to create or a common threat.

There is compelling evidence to support the opposite. Older hardware is more vulnerable exactly because its firmware is relatively easy to attack especially when phishing and/or social engineering tactics can also relatively easily be embedded in the attack plan.

andrew129260 said:
Again, AI could change this but we are talking hypotheticals here and are honestly just are a bit too paranoid at this point.

Again, there is compelling evidence to support the opposite. Telling people that they are too paranoid inevitably only benefits the aforementioned social engineering tactics. It's unethical especially in light of all the substantial evidence that has been piling up, and has been piling up rapidly in recent years. Security is not based on assumption. Rather, it is based on discipline effort and knowledge of what are the risks, understanding the risks, and knowing what can be done to mitigate them correctly effectively.

andrew129260 said:
An average user is more at risk from scams and phishing than any firmware attack or malware. Gullible people are where the money is, which is the motivation for almost all attacks.

Again, an average user is subjected to the non-negligible risk of falling victim to experienced hackers whose strategies revolve around the (trivial) notion that "low hanging fruit" can, in massive quantities especially, be abused as a weapon in an attack against a much more lucrative target.

andrew129260 said:
Short answer, what can you do about a firmware attack?

Other than flashing the bios from the company website, disabling rollback, (which again might do nothing at all, as it can hide elsewhere) using rootkit scanners etc

Nothing.

That's the key to understanding why I love my shelf.

andrew129260 said:
Manufacturers would need to fix this, and pour resources into making security number one for bios and firmware. And just like router security is a giant joke, nothing will change until its forced too.

Be my guest and tell it to the manufacturers.

andrew129260 · Mar 7, 2024

hdmi said:
Again, there is compelling evidence to support the opposite. Telling people that they are too paranoid inevitably only benefits the aforementioned social engineering tactics. It's unethical especially in light of all the substantial evidence that has been piling up, and has been piling up rapidly in recent years. Security is not based on assumption. Rather, it is based on discipline effort and knowledge of what are the risks, understanding the risks, and knowing what can be done to mitigate them correctly effectively.

Again, an average user is subjected to the non-negligible risk of falling victim to experienced hackers whose strategies revolve around the (trivial) notion that "low hanging fruit" can, in massive quantities especially, be abused as a weapon in an attack against a much more lucrative target.

That's the key to understanding why I love my shelf.

Be my guest and tell it to the manufacturers.

What evidence? Do you have actual legit sources on PC based firmware attacks being on the rise? Security researchers are finding flaws and vulnerabilities all the time, But I am not seeing giant widespread threats where regular consumers were impacted. Just fear mongering articles? Are there whitepaper's I can read where this actually happened on a large scale and millions were affected/ infected? That would be interesting. I am not an expert at all on this subject but nothing I am seeing is a cause for concern.

I say this because there are articles all the time posted incorrectly stating that (as an example) 3 million toothbrushes were used to create a botnet and other things that were hypotheticals that didn't actually happen. But it gets clicks.

And even if the average user is somehow aware of it, (which is hilarious, have you met average users?) what could they possibly do about it?

There are no proper tools to detect or know about firmware attacks. You are literally worried about something you can do absolutely nothing about. So even if your right, and PC firmware is being affected all over the place, there is nothing we can do about it. You need tools and software to detect these things, and right now those do not exist. The whole point of a firmware attack is its silent, and you wouldn't know.

Motherboard Manufacturers would also have to write these tools for each computer model, because they need to offer a way to verify the keys they themselves created. They would also need to secure their firmware and lock things down better, and that is extremely unlikely to happen unless something significant happens that affects their bottom line. The software/firmware just like consumer routers is made as cheaply as possible. The amount of bugs and other security issues in the firmware for networking equipment is substantial. This usually doesn't matter for pc's as they have the signed firmware for the bios which protects from being overwritten by things not made by the manufacturer. Where as most routers and network equipment don't verify the firmware being flashed. Some do, but not all. Most ISP all use a router and modem combo unit that is a specific type, which is much more likely to be firmware targeted as its the same across all their customers. And it's much better than a pc firmware attack.

The thing is there are so many motherboard configurations out there. Firmware attacks would have to be created for certain computer models, which again, is why most firmware attacks are attacking cisco products and other networking equipment as this is more interesting and profitable vs computer firmware. And is perfect for spying on the entire network. You don't need to hack pc firmware if you can see everything being transferred from within the network. High targets are going to be companies that are using certain vulnerable networking equipment as its easier to exploit and is much more valuable than creating some kind of pc firmware botnet.

Heck usb firmware is hackable, ssd firmware, webcams firmware, cell phones, etc, everything is hackable. Doesn't mean its happening on a large scale basis. And even when it is? Nothing you can do except the manufacturer has to fix it. And even if they fix it, is the update automatic? Probably not. Would the average consumer know? Of course not. Is there a tool released to see if yours is infected? Most likely no.

As I said, it would take effort on the manufactures and other companies and that won't happen unless their bottom line is affected or government oversight steps in. If its an ongoing threat on a massive scale and it affects money, it will be looked into more. But as of now, there is nothing you or anyone else can do about it.

That's what the thread starter asked. What can be done about it? The answer is nothing.

hdmi · Mar 7, 2024

andrew129260 said:
What evidence? Do you have actual legit sources on PC based firmware attacks being on the rise? Security researchers are finding flaws and vulnerabilities all the time, But I am not seeing giant widespread threats where regular consumers were impacted. Just fear mongering articles? Are there whitepaper's I can read where this actually happened on a large scale and millions were affected/ infected? That would be interesting. I am not an expert at all on this subject but nothing I am seeing is a cause for concern.

I say this because there are articles all the time posted incorrectly stating that (as an example) 3 million toothbrushes were used to create a botnet and other things that were hypotheticals that didn't actually happen. But it gets clicks.

And even if the average user is somehow aware of it, (which is hilarious, have you met average users?) what could they possibly do about it?

There are no proper tools to detect or know about firmware attacks. You are literally worried about something you can do absolutely nothing about. So even if your right, and PC firmware is being affected all over the place, there is nothing we can do about it. You need tools and software to detect these things, and right now those do not exist. The whole point of a firmware attack is its silent, and you wouldn't know.

Motherboard Manufacturers would also have to write these tools for each computer model, because they need to offer a way to verify the keys they themselves created. They would also need to secure their firmware and lock things down better, and that is extremely unlikely to happen unless something significant happens that affects their bottom line. The software/firmware just like consumer routers is made as cheaply as possible. The amount of bugs and other security issues in the firmware for networking equipment is substantial. This usually doesn't matter for pc's as they have the signed firmware for the bios which protects from being overwritten by things not made by the manufacturer. Where as most routers and network equipment don't verify the firmware being flashed. Some do, but not all. Most ISP all use a router and modem combo unit that is a specific type, which is much more likely to be firmware targeted as its the same across all their customers. And it's much better than a pc firmware attack.

The thing is there are so many motherboard configurations out there. Firmware attacks would have to be created for certain computer models, which again, is why most firmware attacks are attacking cisco products and other networking equipment as this is more interesting and profitable vs computer firmware. And is perfect for spying on the entire network. You don't need to hack pc firmware if you can see everything being transferred from within the network. High targets are going to be companies that are using certain vulnerable networking equipment as its easier to exploit and is much more valuable than creating some kind of pc firmware botnet.

Heck usb firmware is hackable, ssd firmware, webcams firmware, cell phones, etc, everything is hackable. Doesn't mean its happening on a large scale basis. And even when it is? Nothing you can do except the manufacturer has to fix it. And even if they fix it, is the update automatic? Probably not. Would the average consumer know? Of course not. Is there a tool released to see if yours is infected? Most likely no.

As I said, it would take effort on the manufactures and other companies and that won't happen unless their bottom line is affected or government oversight steps in. If its an ongoing threat on a massive scale and it affects money, it will be looked into more. But as of now, there is nothing you or anyone else can do about it.

That's what the thread starter asked. What can be done about it? The answer is nothing.

So, to summarize your retort, you simply failed to read the article.

glasskuter · Mar 8, 2024

KingDing said:
So, a question raised by the above, shows there is guidance available, and that its is being provided (so there must be a reason).

I think it is a legitimate to begin opening up this topic.

There is guidance , but my references in my post relates (right now)strictly to MS dealing with Black Lotus as it affects the bootloader. In my pitiful understanding, BL is just the tip of the iceburg of what all is in the wild and has been in the wild for quite some time. New sophisticated infections are being developed every day on the dark web as we speak, and it seems the major target these days for doing the most damage involves firmware entry, whether that be network,machine, or peripheral firmware.

I do agree with what someone else posted that consumer systems are not the main target of these players. The main target of these "bad guys" is the big boys where the most damage can be done. Of course, that's not to say it can't or won't happen to any of us. We have seen a few posts that hinted their network may have been infected through their router's back door resulting in every system on their network becoming inoperable. Maybe it was. Maybe it wasn't. We have no way of knowing it's 100% fact.

This brings us back to your original question. How would the community address this type of risk/threat? Yes, it's a legitimate conversation to have.
But most folks here are end users just like you, doing the best we can to get any level of understanding at all. If we rebuild a system, we are floundering in our knowledge of dealing with the possibility of these threats just like you.
So to ask "What can we do" on a forum like this one won't give you much concrete information, if any.
Any mitigation of this developing problem is going to require attention at the highest level from "the good guys" just as @hdmi so eloquently stated. (Good post there @hdmi) Right now it is far out of the control of the end user.

As refurbers, we can either go on in our refurbing taking every precaution available to us or we can close up shop. Presently, it's as simple as that IMO.

andrew129260 · Mar 8, 2024

hdmi said:
So, to summarize your retort, you simply failed to read the article.

I meant no disrespect, I am just trying to find this evidence that the average user needs to worry about their pc firmware getting exploited constantly out in the wild. The link is broken....and again im asking for showing that its being exploited on a wild scale, not just vulnerabilities that were identified, I have seen articles showing vulnerabilities found, but nothing being constantly exploited.

When I search the title the article is still broken on the Microsoft website. I found other articles referencing that the report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years. But that firmware attack.......was networking equipment..

I also still say, what can the average user do as that was the original question. I am not seeing any tools or anything to scan or find these threats.

As @glasskuter says:

glasskuter said:
Right now it is far out of the control of the end user.

That is mainly what I have been saying. You can worry about anything and everything, but if there is not much you can do on your end I don't see the reason to think about it. I would worry much more whether your router or networking equipment is infected before I would worry about any old reguler pc user firmware being infected.

We have seen phones from both apple and android getting firmware hacked and things of this nature. Does that mean the average user needs to worry about there phone firmware being hacked? No.

Edit:

It also might be a misunderstanding on my part or me not explaining my stance correctly. When you are saying firmware attacks are on the rise, and we are talking about in the context of the original post, I am speaking on the firmware attacks on the rise of the average user for the average PC, which these refurbished machines are being used for and given to. Which is why I have been saying about attacks being mainly focused on the big companies, because they are. But I am still on the stance of it being more on the networking side, and less on the pc bios/firmware side. I have yet to see any contrary to that.

Both Consumer routers and cooperate switches, routers, access points etc are a far more lucrative target still imho as it is way easier to target and infect than a regular pc. Pc's get constant automatic updates, most routers (especially home user ones) rarely do or only get supported for a few years and then dropped.

hdmi · Mar 8, 2024

andrew129260 said:
I meant no disrespect, I am just trying to find this evidence that the average user needs to worry about their pc firmware getting exploited constantly out in the wild. The link is broken....and again im asking for showing that its being exploited on a wild scale, not just vulnerabilities that were identified, I have seen articles showing vulnerabilities found, but nothing being constantly exploited.

View attachment 89509

When I search the title the article is still broken on the Microsoft website. I found other articles referencing that the report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years. But that firmware attack.......was networking equipment..

I also still say, what can the average user do as that was the original question. I am not seeing any tools or anything to scan or find these threats.

As @glasskuter says:

That is mainly what I have been saying. You can worry about anything and everything, but if there is not much you can do on your end I don't see the reason to think about it. I would worry much more whether your router or networking equipment is infected before I would worry about any old reguler pc user firmware being infected.

We have seen phones from both apple and android getting firmware hacked and things of this nature. Does that mean the average user needs to worry about there phone firmware being hacked? No.

Edit:

It also might be a misunderstanding on my part or me not explaining my stance correctly. When you are saying firmware attacks are on the rise, and we are talking about in the context of the original post, I am speaking on the firmware attacks on the rise of the average user for the average PC, which these refurbished machines are being used for and given to. Which is why I have been saying about attacks being mainly focused on the big companies, because they are. But I am still on the stance of it being more on the networking side, and less on the pc bios/firmware side. I have yet to see any contrary to that.

Both Consumer routers and cooperate switches, routers, access points etc are a far more lucrative target still imho as it is way easier to target and infect than a regular pc. Pc's get constant automatic updates, most routers (especially home user ones) rarely do or only get supported for a few years and then dropped.

For me, the Microsoft.com link still works. From it:

Firmware provides fertile ground to plant malicious code

Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed.

If that’s not enough, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has shown more than a five-fold increase in attacks against firmware in the last four years, and attackers have used this time to further refine their techniques and get ahead of software-only protections.

Yet the Security Signals study shows that awareness of this threat is lagging across industries. Even with this onslaught of firmware attacks, the study shows that SDMs believe software is three times as likely to pose a security threat versus firmware.

“There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.” – Azim Shafqat, Partner at ISG and Former Managing VP at Gartner

The OS Kernel is an emerging gap in defense

A look at respondents’ investments bears out this disparity. Hardware-based security features such as Kernel data protection (KDP), or memory encryption, which blocks malware or malicious threat actors from corrupting the operating system’s kernel memory or from reading it at runtime, is a leading indicator of preparedness against sophisticated kernel-level attacks. Security Signals found that only 36% of businesses invest in hardware-based memory encryption and less than half (46%) are investing in hardware-based kernel protections.

Security Signals also found that security teams are too focused on outdated “protect and detect” models of security and are not spending enough time on strategic work — only 39% of security teams’ time is spent on prevention and they don’t see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.

Physical attacks using hardware

In addition to firmware attacks, respondents identified concerns with attack vectors exposed by hardware. The recent ThunderSpy attack targeted Thunderbolt ports, leveraging direct memory access (DMA) functionality to compromise devices via hardware access to the Thunderbolt controller. Another flaw, this one unpatchable, was found in the T2 security chip used in many common consumer devices. Other major firmware attacks in the last year included the RobbinHood, Uburos, Derusbi, Sauron and GrayFish attacks that exploited driver vulnerabilities.

So, this isn't just about vulnerabilities, as these are real attacks that actually did happen (with the exception of ThunderSpy, which was a theoretical attack). As for the T2 chip and the unpatchable security flaw that it has, it can be found in all these computers: Apple T2 - Wikipedia

Also note that Uburos is misspelled, its correct name is Uroburos (aka "Snake"). It is direct evidence of the fact that firmware implants can, and do, go very far beyond ultimate high-valued targets. And no, this isn't just about network equipment, either. Rather, it's about numerous computers: Hunting Russian Intelligence “Snake” Malware | CISA

I should add that, just because Microsoft started selling expensive "Secured-Core" Windows PCs (which they obviously promote in the article, lol) doesn't also mean that this trend of "more than a five-fold increase in attacks against firmware in the last four years" has been slowing down since the article was published by Microsoft, and, BTW, by the end of this month the article will be 3 years old. Speaking of "old", refurbished old PCs that were donated are almost always too old to still get "constant automatic updates". Most companies who "donate" PCs to Not-for-profit organizations who refurbish old PCs are smart enough to know that the only type of old PCs worth "donating" are ones that should be stripped down and recycled as opposed to are still worth being refurbished. The reason why I know it too is not because I think I am the smartest or anything like that. Rather, like I said in my first reply to this thread, I actually worked at such a Not-for-profit organization for a little while. Like, just about long enough to figure this out.

Further, as an aside, I'll also add that I am a trained Java Enterprise (Jakarta EE) software developer. Even though I am not a security expert, Java technology has always been built on security. (And before anyone should ask, no, I never used Log4j, as I actually never did trust it... lol) Google recently announced that they are finally moving away from C++ toward Java and Rust. But like I already tried to explain, Java isn't just a programming language. There aren't too many people out there who understand this fact. But all the largest companies in the world understand it pretty well. Just like they also understand security pretty well. My point here being, that I work for companies that understand it pretty well. So, I think I understand the basics. You don't have to believe me of course. I mean, why should you trust me, right? After all, just because you're paranoid, doesn't mean they're not after you. That was my point.

andrew129260 · Mar 8, 2024

hdmi said:
For me, the Microsoft.com link still works. From it:

Apparently the site was having issues when I clicked it, it works now. Extremely interesting article, I must have read your post when it wasn't in there because I don't recall seeing that link originally. And earlier today when you referenced it was not loading. So yes, I didn't read the article :)

hdmi said:
“There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.” – Azim Shafqat, Partner at ISG and Former Managing VP at Gartner

That is a very harsh and surprising statement to me. Unless this in context was to mean any firmware attack, then this makes sense. In government I am certainly positive this is true.

hdmi said:
So, this isn't just about vulnerabilities, as these are real attacks that actually did happen (with the exception of ThunderSpy, which was a theoretical attack). As for the T2 chip and the unpatchable security flaw that it has, it can be found in all these computers: Apple T2 - Wikipedia

Also note that Uburos is misspelled, its correct name is Uroburos (aka "Snake"). It is direct evidence of the fact that firmware implants can, and do, go very far beyond ultimate high-valued targets. And no, this isn't just about network equipment, either. Rather, it's about numerous computers: Hunting Russian Intelligence “Snake” Malware | CISA

All those macs with the t2 is definitely interesting. I still think anyone owning the 2020 version, while flawed would not need to run out and buy a new machine. Every machine is going to have a million vulnerabilities. However, it is concerning that it cannot be patched.

The snake malware was incredibly interesting to read! Thanks for that link. Who knew my government would post such interesting things there.

hdmi said:
Speaking of "old", refurbished old PCs that were donated are almost always too old to still get "constant automatic updates". Most companies who "donate" PCs to Not-for-profit organizations who refurbish old PCs are smart enough to know that the only type of old PCs worth "donating" are ones that should be stripped down and recycled as opposed to are still worth being refurbished.

At any company I have worked at, they always use the 4 year lifecycle. Even after that time I have personally seen firmware updates still rolling out and of course being able to run a modern version of windows which gets security updates. Even more so now, with a machine that runs Win 10 is almost guaranteed to run win 11 without issue. Again, nothing is bulletproof but I don't feel like its in dire states to hand off something only 4 years old to someone else. But your in Belgium so maybe it's different there.

hdmi said:
Java Enterprise (Jakarta EE) software developer

That's pretty fancy and way over my head. So congrats on that. So are there tools to detect these pc firmware attacks? Is there a way to even know?

hdmi said:
My point here being, that I work for companies that understand it pretty well. So, I think I understand the basics. You don't have to believe me of course. I mean, why should you trust me, right? After all, just because you're paranoid, doesn't mean they're not after you. That was my point.

I am not paranoid at all. I think you meant to say just because i'm not paranoid doesn't mean they are not after me. I am still not convinced, and don't think average pc's firmware are prime targets when old outdated mini pc's (routers) are sitting there plump for the taking, and are way better at being used for botnets and the like. Especially because internet providers use the same models, and are so much easier to take control over without the user noticing anything at all. The attacks on router firmware and all of that has always been extremely bad, because most routers are swiss cheese and have holes everywhere. Pretty much every router firmware that exists on the consumer level can be taken over in seconds. I think that is a way more prevalent threat. Whats funny though, is despite how many holes and how bad those are, we still have seen only a few botnets and the like. But nothing earth shattering or life altering.

But anyways, at this point I do agree now that is does seem pc firmware attacks are on the rise, (based on what you shared) but so far in a lot of the research I have read the "in the wild" that has been found has been attacking people of high importance, Executives, journalists, Ceo's etc. Those were the people referenced in most papers shown to be attacked or affected. Sure that could change, especially as more and more business pc's harden their firmware and bios and everything else. Maybe once that happens more focus will be on the little guys.

KingDing said:
Now, the question is, what new practices and approaches do need to start engaging in when refurbing/fixing/formatting + re-installing the average PC used by friends/family?

KingDing said:
Has anyone in the community faced firmware/bios malware in their experience. What tools/approaches did you develop to mitigate against them. What tools are out there that can be used by your average (non-enterprise) IT tech?

From what I understand, There are no tools, at least none that I can find. I am not finding anything that answers your original questions. If PC firmware attacks are on the rise, (and I am convinced they are now, but I still feel it's the big companies and not the average joe. Targeted) there isn't much you can do. I don't see anything out there to combat the issue other than companies needing to patch their firmware on a regular basis. Which just isn't going to happen with how many machine models are out there. It's not realistic. Same issue with network equipment.

You can only do so much about security on your part. Rest is up to the companies that make it. But I dont think its worth losing sleep over.

Anyway, this has been an interesting thread to say the least. Hopefully firmware attacks on pc will be the least of our problems. I just want networking equipment to get its act together and for consumer routers to stop being so junk.

hdmi · Mar 9, 2024

andrew129260 said:
At any company I have worked at, they always use the 4 year lifecycle. Even after that time I have personally seen firmware updates still rolling out and of course being able to run a modern version of windows which gets security updates. Even more so now, with a machine that runs Win 10 is almost guaranteed to run win 11 without issue.

One important problem is that, with only very few exceptions, the companies that donate their PCs don't usually donate them immediately after this lifecycle has ended. Instead, they'll usually just wait until after the firmware update support period has also ended, which is when they'll wait another year or possibly longer before finally, at very long last, they make the decision to let you "refurbish" the PCs by throwing them in the dumpster to be recycled becuase, by that time, they're actually no longer even worth the cost of transportation plus work. In fact you should consider yourself lucky if you don't return with an almost empty van and they didn't lie to you about the specs and/or numbers like how many PCs they have for you that meet these specs and the condition that these PCs are in. My grandmother used to always complain about those who came to her door to ask for donations. They always talk about "giving", she said. To which she then added, "Our cow once died of giving."

andrew129260 said:
So are there tools to detect these pc firmware attacks? Is there a way to even know?

Of course, but for the average consumer the options are rather limited (or pretty much nonexistent, especially if you are on a very tight financial budget), and, as the Microsoft article also states, companies that know that they experienced a firmware attack will typically invest more heavily in prevention instead. Sauron was a good example of why detection, even though it still has its merits nevertheless, is going to be far distance away from being enough. A spy software called “Sauron” that hit Belgium uncovered

The software is thought to have been installed in June 2011. It could not be detected earlier as it can adapt its form to the network it is attacking (the files its uses to install itself can have different names and be different sizes). Most spy software cannot do this, which is why it was not found until now.

Looks like it took 5 whole years to find him. Hope it doesn't happen.

andrew129260 said:
I am not paranoid at all. I think you meant to say just because i'm not paranoid doesn't mean they are not after me.

I was quoting from the satirical novel "Catch-22" by Joseph Heller.

andrew129260 said:
I am still not convinced, and don't think average pc's firmware are prime targets when old outdated mini pc's (routers) are sitting there plump for the taking, and are way better at being used for botnets and the like. Especially because internet providers use the same models, and are so much easier to take control over without the user noticing anything at all. The attacks on router firmware and all of that has always been extremely bad, because most routers are swiss cheese and have holes everywhere. Pretty much every router firmware that exists on the consumer level can be taken over in seconds. I think that is a way more prevalent threat. Whats funny though, is despite how many holes and how bad those are, we still have seen only a few botnets and the like. But nothing earth shattering or life altering.

A lot of old PCs are also sitting there plump for the taking. Like I earlier said, companies also use the same or very similar PC models, and Not-for-profit organizations that refurbish old PCs that were donated by these companies don't very often want to spend the extra effort and time it usually takes for them to refurbish numerous different PC models of various types. As these donated PCs are so old and outdated, these refurbishers are forced to cut down the cost of refurbishment. So, they need to refurbish these old PCs in bulk always when possible, which they cannot do if they need to follow different steps on each different PC constantly. That's the general rule. I know from experience that there aren't too many exceptions to this, as they simply can't afford to do it any other way, or at least not for very long.

These very old PCs are also swiss cheese and also have holes everywhere. Again, the vast majority of companies who want to donate them don't want to donate them before these old PCs are more akin to grated swiss cheese than they are akin to swiss cheese. They also can be taken over in seconds. The only real reason why you haven't seen more botnets is because they are purposely designed to be invisible. Worse, if you try to convince your average consumer PC hardware manufacturer to care about that which is invisible, then they'll say you're just worrying about ghosts. If it's from Apple, their fanboys will confirm that that's what you're worrying about. If or when it becomes visible after all (which happens only rarely, because it's still designed to be invisible), then they'll say hey look, we're so sorry to hear that, but if you buy our newest products, which are definitely so much better and safer than our previous models, we promise it will never happen again. Next thing you know, it's just rinse and repeat. So yeah, as an average consumer whose budget is tight, you can't really do anything much against that. You'll just have to live with the fact that newer hardware choices often do have newer security features that could help to make it safer. Also, install all the latest updates as soon as they are made available, and hope for the best. You could argue against Microsoft killing old hardware support in Windows 11 far too soon because obviously they are in bed with the hardware manufacturers and all that jazz, but I'll still disagree with those who keep claiming that Microsoft's decision to end support is entirely unjustified or that security has got absolutely nothing to do with it.

However, people shouldn't forget the OS and software security part of the equation. I know that Sandboxie-Plus is not a very popular topic on here, but I use it alongside Windows Defender. I don't install anything nor run anything I don't want to trust outside the sandbox. Firefox Portable never runs outside the sandbox excepting only to update it or to install/update/remove (trusted) addons or to make changes to its settings. If I download a file with Firefox Portable, I use the Quick Recover option of Sandboxie-Plus to migrate the file out of the sandbox. I install all Windows updates, also including Preview Cumulative Updates as soon as they become available in Windows Update, and I use Intel Driver and Support Assistant to get notified when new Intel driver updates are available. I also check for other new available updates regularly.

As for the router firmware, I use an Asus RT-AX92U 2-Pack. AFAIK that one remained unaffected by the firmware vulnerabilities that caught the news last year. Asus has a phone app that notifies me when a new firmware update is available, and Asus has a list of things that can be done to make Asus wireless routers more secure. [Wireless] How to make my router more secure? | Official Support | ASUS Global

andrew129260 said:
But anyways, at this point I do agree now that is does seem pc firmware attacks are on the rise, (based on what you shared) but so far in a lot of the research I have read the "in the wild" that has been found has been attacking people of high importance, Executives, journalists, Ceo's etc. Those were the people referenced in most papers shown to be attacked or affected. Sure that could change, especially as more and more business pc's harden their firmware and bios and everything else. Maybe once that happens more focus will be on the little guys.

Again, the attackers rely on invisible botnets consisting of numerous infected computers that belong to people of low "importance". These invisible botnets are what the attackers use in their attacks when they target people of high "importance". Invisible, i.e., they aren't reported simply because they remain undetected.

andrew129260 said:
From what I understand, There are no tools, at least none that I can find. I am not finding anything that answers your original questions. If PC firmware attacks are on the rise, (and I am convinced they are now, but I still feel it's the big companies and not the average joe. Targeted) there isn't much you can do. I don't see anything out there to combat the issue other than companies needing to patch their firmware on a regular basis. Which just isn't going to happen with how many machine models are out there. It's not realistic. Same issue with network equipment.

You can only do so much about security on your part. Rest is up to the companies that make it. But I dont think its worth losing sleep over.

Worth losing sleep over? No. Worth retiring old hardware that's got nothing but problems? Definitely yes. E-waste is e-waste. Maybe the computer museum could still use some of the stuff.

KingDing · Mar 11, 2024

Moving on from "Refurbished".

Are we sure there are no consumer grade tools to address this area-of-concern?

Surely with eset being one of the clarion calls on this topic, showed there was (and is) a need for such tools in the consumer arena?

Is it possible anti-malware vendors have got tools to address some of these topics, but that they are not widely known about?