Intel responds to Vault 7 UEFI malware with Chipsec module

March 10, 2017 // 2:28 p.m.

Tags: #bios #chipsec #cia #cristiaan-beek #efi #intel #intel-security #malware #raj-samani #trojan #uefi #vault-7 #wikileaks #year-0

Intel has responded to claims in WikiLeaks' Vault 7 Year 0 release that firmware on its systems can be targeted for exploitation with the release of a Chipsec module dedicated to scanning BIOS and UEFI implementations for the presence of malicious code.

Released earlier this week, Vault 7 Year 0 is the first in what anti-secrecy group WikiLeaks is calling the largest trove of confidential documents and tools from the US Central Intelligence Agency (CIA) in history. Representing a claimed one percent of the total, the documents released so far include details of tools for exploiting various zero-day vulnerabilities - including injecting malicious code directly into the firmware of target computer systems, from where it can run entirely invisibly to the host operating system and even survive a complete reformat and reinstall.

'Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society,' Intel Security's Christiaan Beek and Raj Samani explained in a joint blog post following the leak. 'As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.'

Part of the company's existing Chipsec security analysis framework, the new module allows for UEFI rootkits and other malicious code injections to be detected. For those who are unsure if their system has already been infected, however, it's of little use: the tool works by comparing the current UEFI to a known-good copy located in a whitelist. 'We recommend generating an EFI whitelist after purchasing a system or when you are sure it has not been infected,' the pair explain, without suggesting - given previous claims that national security agencies routinely intercept hardware deliveries in transit in order to inject malicious code - exactly how one would be sure of that fact.

Those interested in playing with the Chipsec tool can find it on GitHub.


View this in the forums