bit-tech.net

Intel responds to Vault 7 UEFI malware with Chipsec module

Intel responds to Vault 7 UEFI malware with Chipsec module

Intel has responded to WikiLeaks' Vault 7 Year 0 releases with a module for Chipsec which it claims will help detect CIA and other malware installations in a system's UEFI or BIOS.

Intel has responded to claims in WikiLeaks' Vault 7 Year 0 release that firmware on its systems can be targeted for exploitation with the release of a Chipsec module dedicated to scanning BIOS and UEFI implementations for the presence of malicious code.

Released earlier this week, Vault 7 Year 0 is the first in what anti-secrecy group WikiLeaks is calling the largest trove of confidential documents and tools from the US Central Intelligence Agency (CIA) in history. Representing a claimed one percent of the total, the documents released so far include details of tools for exploiting various zero-day vulnerabilities - including injecting malicious code directly into the firmware of target computer systems, from where it can run entirely invisibly to the host operating system and even survive a complete reformat and reinstall.

'Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society,' Intel Security's Christiaan Beek and Raj Samani explained in a joint blog post following the leak. 'As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.'

Part of the company's existing Chipsec security analysis framework, the new module allows for UEFI rootkits and other malicious code injections to be detected. For those who are unsure if their system has already been infected, however, it's of little use: the tool works by comparing the current UEFI to a known-good copy located in a whitelist. 'We recommend generating an EFI whitelist after purchasing a system or when you are sure it has not been infected,' the pair explain, without suggesting - given previous claims that national security agencies routinely intercept hardware deliveries in transit in order to inject malicious code - exactly how one would be sure of that fact.

Those interested in playing with the Chipsec tool can find it on GitHub.

3 Comments

Discuss in the forums Reply
Wwhat 13th March 2017, 13:33 Quote
" without suggesting - given previous claims that national security agencies routinely intercept hardware deliveries in transit in order to inject malicious code - exactly how one would be sure of that fact.

I would think you'd have a database somewhere with hashes of said firmware so you can compare. Problem being that of course they could intercept your link to said database and inject a fake hash to make it seem OK.
So perhaps you need to go to another country like Russia and consult a DB there to be sure. While simultaneously Russians would go to another country to make sure their government didn't mess with their systems.
Anyway - it's good news for the airlines I guess :)
leexgx 14th March 2017, 18:15 Quote
Its really rubbish that EFI has poor security (I guess if you reflash the bios and it fails to let you then you mite have a compromise bios)
Cthippo 15th March 2017, 10:57 Quote
Is any of this an indication that tech companies are less willing to cooperate on backdoors and access than they once were?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums