Firmware / Bios Malware & Refurbished PC's

andrew129260 · Mar 11, 2024

hdmi said:
One important problem is that, with only very few exceptions, the companies that donate their PCs don't usually donate them immediately after this lifecycle has ended. Instead, they'll usually just wait until after the firmware update support period has also ended, which is when they'll wait another year or possibly longer before finally, at very long last, they make the decision to let you "refurbish" the PCs by throwing them in the dumpster to be recycled becuase, by that time, they're actually no longer even worth the cost of transportation plus work. In fact you should consider yourself lucky if you don't return with an almost empty van and they didn't lie to you about the specs and/or numbers like how many PCs they have for you that meet these specs and the condition that these PCs are in. My grandmother used to always complain about those who came to her door to ask for donations. They always talk about "giving", she said. To which she then added, "Our cow once died of giving."

That can certainly be true, as for me personally that has not been my experience in the places I work. We give it up immediately after the machines are replaced. It doesn't sit long waiting to be collected by a recycle company. I like the cow quote.

hdmi said:
As for the router firmware, I use an Asus RT-AX92U 2-Pack. AFAIK that one remained unaffected by the firmware vulnerabilities that caught the news last year.

Yes the few that we know about your router doesn't seem to be included in those, but your router only gets a 2 star security rating out of 4 from the csa. It will also stop receiving updates soon. Here is how the rating system works.

Also, I would look here for ways to best secure your router. (I'm sure you know all these but could be helpful) Though the Asus article is semi decent. Although bugs in the firmware usually makes these pointless but it's better than nothing. Windows still gets security updates on older machines. Routers barely do and the update support ends quickly. If it does get updates, they are not guaranteed to automatically apply & update. Windows is built much stronger on security vs router firmware. This long list of router bugs proves that security is not the focus and the routers firmware is made as cheaply as possible. Networking equipment has way more vulnerabilities and concerns than pc firmware. Routers are always on, always connected, and always vulnerable. PC's can be powered off, or not connected to the internet at all times. Routers are everywhere - always on and always connected waiting to be infected. Network equipment that is comprised owns the entire network. Can see all traffic, can completely see everything the machine is doing, and can deliver payloads to the machines that are connected to it. (such as pc firmware attacks, like maybe when the pc goes to update the bios and reaches out for that update) Cell tower routers are even more of a concern. Here is even more reasons why routers are awful with security.

I want there to be fewer router models and more focus on firmware security on these, as I still feel these are the greater threat and concern. I mean everything is a concern, but network firmware worries me the most. PC firmware attacks are concerning too of course.
There isn't anything we can do so far, so I try to just go for routers that do get high marks in the security community. Asus routers that do get high marks though, like the RT-AX58U AX3000. But the bugs are still so prevalent in the asus firmware. I love their interface though. I am starting to look into enterprise routers and buying them for the home since the software is much better and less prone to issues.

hdmi said:
Again, the attackers rely on invisible botnets consisting of numerous infected computers that belong to people of low "importance". These invisible botnets are what the attackers use in their attacks when they target people of high "importance". Invisible, i.e., they aren't reported simply because they remain undetected.

Sure, that is also possible.

hdmi said:
However, people shouldn't forget the OS and software security part of the equation. I know that Sandboxie-Plus is not a very popular topic on here, but I use it alongside Windows Defender. I don't install anything nor run anything I don't want to trust outside the sandbox. Firefox Portable never runs outside the sandbox excepting only to update it or to install/update/remove (trusted) addons or to make changes to its settings. If I download a file with Firefox Portable, I use the Quick Recover option of Sandboxie-Plus to migrate the file out of the sandbox. I install all Windows updates, also including Preview Cumulative Updates as soon as they become available in Windows Update, and I use Intel Driver and Support Assistant to get notified when new Intel driver updates are available. I also check for other new available updates regularly.

Yeah, I use vmware player for testing anything new. Or virustotal's behaviors pattern. Windows sandbox is also pretty decent.

KingDing said:
Moving on from "Refurbished".

Are we sure there are no consumer grade tools to address this area-of-concern?

None that I can find. Have you found anything? Maybe you can ask one of these security podcasts to see if they know. I am not seeing anything that exists for this, same with network equipment. There is no firmware scanner for anything in a broad sense. Just some infections that governments made tools for to scan with. But they were only for specific things, and by the time the tool came out, the infected firmware was abandoned and replaced with a new threat or modification that makes the tool useless.

If anyone has any tools or knowledge of anything coming in the firmware attack space for any device to scan for these threats, I would definitely be interested in hearing about it.

hdmi · Mar 12, 2024

@andrew129260
I can't help but find it ironic that the RT-AX58U, in spite of the fact that it scores 4 stars on that list you linked, was not exempt from last year's critical Asus wireless router firmware vulnerabilities, i.e. in shrill contrast to my "lowly" (2 stars) RT-AX92U 2-Pack. Maybe it's because the cosmetic look of the RT-AX92U is from the Star Wars movie.

Either way, I use it in AiMesh 2.0 Access Point (AP) mode, not in AiMesh 2.0 router mode, and, the backhaul option that I use with this specific WiFi mesh system from Asus is the wired (Ethernet) option. The routersecurity.org checklist that you linked is indeed useful, but yes, I already knew them. As for the firmware bugs, each time when I talk about the RT-AX92U 2-Pack, I almost always mention that these bugs used to be rather severe, and took considerable time to be fixed by Asus after this product was launched by them in 2019. That plus the hefty price premium explain why I had delayed my purchase until both of these two initial dealbreakers had finally disappeared. I use a separate router in conjunction with it so, I'm not too worried about the update support being ended a little bit sooner than what one could perhaps consider to be more ideal.

About running a VM and Windows Sandbox, on my Windows laptop I use neither. First off, even though it certainly is possible to set up a VM in such a specific way that it can be used to add an extra layer of hardened security (i.e. by adding the general concept of secured isolation to the "main recipe" of what a VM is typically about), this is not the main intended purpose of a VM. Secondly, Windows Sandbox is still extremely limited, as it does not have many usability features to say the least. So, it isn't a flexible solution at all, especially when compared to all that can be achieved with Sandboxie-Plus, a free open source isolation software that is actively maintained on GitHub.

hdmi · Mar 12, 2024

andrew129260 said:
If anyone has any tools or knowledge of anything coming in the firmware attack space for any device to scan for these threats, I would definitely be interested in hearing about it.

GitHub - e-m-b-a/embark: EMBArk - The firmware security scanning environment

EMBArk - The firmware security scanning environment - e-m-b-a/embark

github.com

andrew129260 · Mar 12, 2024

hdmi said:
@andrew129260
I can't help but find it ironic that the RT-AX58U, in spite of the fact that it scores 4 stars on that list you linked, was not exempt from last year's critical Asus wireless router firmware vulnerabilities, i.e. in shrill contrast to my "lowly" (2 stars) RT-AX92U 2-Pack. Maybe it's because the cosmetic look of the RT-AX92U is from the Star Wars movie. Either way, I use it in AiMesh 2.0 Access Point (AP) mode, not in AiMesh 2.0 router mode, and, the backhaul option that I use with this specific WiFi mesh system from Asus is the wired (Ethernet) option.

haha maybe. :wink:

I did mention:

andrew129260 said:
Asus routers that do get high marks though, like the RT-AX58U AX3000. But the bugs are still so prevalent in the asus firmware.

But yeah the 4 stars indicated it passed structured penetration tests by approved third-party test labs. But again, if the firmware is flawed, which asus has many flaws just like many other router manufacturers, it means nothing. Just like yours it was updated. But I'm sure other bugs are waiting to be found, Just the way it goes. Interesting, didn't know you had it set up that way. I'm looking at getting the B one from peplink due to the lack of firmware breaches compared to other products.

hdmi said:
GitHub - e-m-b-a/embark: EMBArk - The firmware security scanning environment

EMBArk - The firmware security scanning environment - e-m-b-a/embark

github.com

Interesting, thanks. Will take a look. I recently heard of hybrid analysis as well for scanning behaviors of an installer or app. Pretty cool. Now that I looked up Sandboxie I remembered using this a super long time ago, back in the windows XP days to look at software. That took me back.

hdmi · Mar 12, 2024

andrew129260 said:
But again, if the firmware is flawed, which asus has many flaws just like many other router manufacturers, it means nothing. Just like yours it was updated. But I'm sure other bugs are waiting to be found, Just the way it goes.

This made me think Asus should maybe consider to make a 2-Pack "Roasted Porg Edition".

KingDing · Mar 17, 2024

I'm being left with the impression, that firmware malware is a big blind spot. That the average (even if competent) system repairer/rebuilder and IT tech - has little hope of addressing or remedying such situations.

Is this really the final conclusion to draw on?

Try3 · Mar 17, 2024

Yes.

Denis

bikemanI7 · Mar 17, 2024

I check for Any and all system updates regularly---Reboot Comcast XB8 gateway Modem *Have to Rent since upstairs TV only can have Wireless TV Box*, as No coax at all upstairs in Townhome/Renting this as well* weekly to make sure it gets it updates if there is any.

Check for updated UEFI BIos, Update security software immediately, apply all Windows Updates immediately--including Preview updates **always update system image before i do the updates typically**

And Update all 3rd party apps, Games, and as much as i can

And if i ever purchased a Refurbed or Used Computer i'd do the following steps

For any safety would check from Main PC for any updated UEFI Bios, Drivers, create the flash drives as needed on Main PC--as well as Create a Windows Media USB if needed on Main PC.

Check for any UEfi bios updates for motherboard, if there is one, update it immediately
*then make sure secure boot enabled, TPM enabled (if equipped)*
Clean Install Windows onto a Fresh Drive--hopefully M.2 that i typically use about 500GB for Boot drive
Remove Secondary drive if one was present and use that for Picture, Video and Music Storage, (install a New Minimum 2TB 7200RPM drive as Secondary Storage
Install my preferred Malwarebytes Premium as secondary security, and Make Sure Defender all set
Do a New System Image with Macrium Reflect Home 8.1

Then start enjoying system after all the maintenance tasks done

Kinda paranoid on making sure everything up to date, always have been

Then i'd be updating the System Image weekly or Monthly depending on use case

Then use the system for webbrowsing, backup gaming system (if specs allow it), and in general enjoy system

Try3 · Mar 17, 2024

So what you're saying is, like the rest of us, you would not look for any firmware malware and you do not have any tools that would enable you to do so.

Denis

bikemanI7 · Mar 17, 2024

Sadly i don't have any tools that would allow looking for Firmware Malware.

But i would hopefully think it was clean after the clean install, and new Drives

((though years ago i did have Firmware Malware i think on my older AMD Athlon XP 2500+ system as in 2005 there it kept crashing with blue screens, took it back to the shop 5 times, when finally they said its gotta be Bios or Firmware malware (idiot me infected it myself when testing Windows Live Onecare--listened to an Online friend in Palace Chat and opened a site to get some Malware to Test Windows Live Onecare, and idiot me opened the files, and Onecare could not clean it. I ran Norton Powereraser back then, had Shop run bunch of tools.

In the end ended up with All Replacement Parts that was lower spec, but at the time just wanted it to work--kept that system til upgraded again to AMD Socket 939 based Motherboard

Try3 · Mar 17, 2024

bikemanI7 said:
i would hopefully think it was clean after the clean install, and new Drives

No, none of those actions would affect any firmware malware.

Denis

bikemanI7 · Mar 17, 2024

Try3 said:
No, none of those actions would affect any firmware malware.

Denis

Ohh maybe that is why I could get that old system clean fully. Maybe that is why Shop replaced Motherboard in 2005 there with a brand new Gigabyte Board, AMD Sempron Processor, 4 to 8GB of Ram at the time (whichever was the highest then) Radeon 9600XT, 2 New Seagate Hard drives, then one of them died a few months later, replaced with Western Digital then)... Then crashing stopped, and system seemed to perform fine til i replaced it years later for faster main system

NormanF · Apr 7, 2024

OEM's offer BIOS updates to fix vulnerabilities.

Don't upgrade unless you really need it. If you're not careful, you can brick your PC.

Try3 · Apr 7, 2024

NormanF said:
Don't upgrade unless you really need it

That was the accepted norm thirty years ago.
I have no idea if it was true or not. I never met anybody who had a failed Bios update that wrecked a computer.
I have installed every Bios update offered by my computer OEMs and have never had a problem.

Many OEMs offer methods of re-writing the Bios if a failure occurs.
My HP, for example, offers Bios recovery disks.
my ditty about Bios recovery disks - post #3 - ElevenForum

HP Desktop PCs - BIOS Setup Utility information and menu options
HP Consumer Notebook PCs - BIOS Setup Information and Menu Options
HP Notebook PCs - Recovering the Bios - HPCustomerSupport

All the best,
Denis

hdmi · Apr 9, 2024

Try3 said:
That was the accepted norm thirty years ago.
I have installed every Bios update offered by my computer OEMs and have never had a problem.

Many OEMs offer methods of re-writing the Bios if a failure occurs.

I don't know if it's already been thirty years, but I can still remember my Asus P5LD2 Deluxe motherboard that I bought new (more than eighteen years ago) came with CrashFree BIOS 2 so yeah, thirty years sounds to me like it's probably not too heavily exaggerated... lol

KingDing · Apr 19, 2024

The Bios recovery disks linked to indicate there would be a way to remove malware in the bios.

Are there any other areas (other than the hard drive) that firmware could hide.

E.g GPU bios

Or anywhere else?

andrew129260 · Tuesday at 12:09 PM

KingDing said:
The Bios recovery disks linked to indicate there would be a way to remove malware in the bios.

Are there any other areas (other than the hard drive) that firmware could hide.

E.g GPU bios

Or anywhere else?

Technically, malware can exist and be put on anything that is able to be written to. If data can write to it, malware can exist. The question is what is a better target and easier to get into?

When you're trying to break a system, you want the fastest and quickest solution that is less likely to be noticed, to get in and out quickly. If you want to hide for a long time and not be spotted, you go for firmware. But it requires serious skills, and takes time.

As I stated before, AI will probably change that.

I don't think it should keep you awake at night. The best thing you can do is to do your best at making a pc clean and move on. There is only so much you can realistically do.

hdmi · Wednesday at 2:37 AM

KingDing said:
The Bios recovery disks linked to indicate there would be a way to remove malware in the bios.

Are there any other areas (other than the hard drive) that firmware could hide.

E.g GPU bios

Or anywhere else?

If you don't have access to a backup of the factory vBIOS or you cannot verify the providence thereof, then you simply have no easy way to be sure.

GitHub - notfromstatefarm/nvflashk: Flash (almost) any vBIOS to (almost) any nVIDIA GPU

Flash (almost) any vBIOS to (almost) any nVIDIA GPU - notfromstatefarm/nvflashk

github.com

The same with other types of firmware. At least in theory, anything that has firmware in it could be vulnerable to firmware exploits. Just to give only one example, old motherboards the chipset of which typically has a very limited number of in-built SATA ports commonly use something like a Marvell controller chip to add more SATA ports except cheap ones, and, also typically, the motherboard manufacturers stopped making the necessary firmware updates available to the general populus many years ago. I know at least some motherboards that use a Marvell chip for which Marvell still released a newer firmware that enables TRIM on those specific SATA ports that are connected to the chip (albeit patching/fixing TRIM is not a security update, but I think you got the picture). Just the motherboard manufacturers didn't always make this newer firmware available so, as a result of this, either you'd have to mod it yourself or you can go searching for the mod on a website like Win-Raid Forum. I mean, I spent some of my time reading up on various different subjects on Win-Raid Forum so, I know that it can be done, BUT... it begs the question, is it really worth spending more than $100 in work hours on a PC the total value of which is still factually going to be much less than $100, anyway after all? If it's your hobby, then yes. If not, the landfill gets my vote (after the shelf is full).

It all really boils down to needing to accept that the key in deciding whether it's worth is going to have to be the specific make and model. In the vast majority of cases, it pans out to be a major no no. Unfortunately, it does. Sorry. It is what it is.