Researcher develops NIC rootkit

November 24, 2010 // 10:45 a.m.

Tags: #broadcom #firmware #network #nic #privacy #rootkit #security

A security researcher has developed techniques for reverse engineering the firmware in a popular line of network cards, potentially opening the door for a future hardware-based rootkit.

Guillaume Delugré, a researcher with Sogeti ESEC Research and Development, has detailed his efforts of reverse engineering the firmware of Broadcom's NetExtreme network cards on the company's website, but warns that the techniques he has developed could be used by ne'er-do-wells to produce near-undetectable rootkits to attack future computers.

Using nothing more than publicly available documentation and open-source utilities, Delugré has been able to build tools to monitor and debug the network card at a very low level. This tool set has also led Delugré to find a way to flash custom firmware onto the cards and have it executed as though it were official code.

The upshot of his work: a rootkit, which can be uploaded to the network card and silently monitor network traffic without any host OS being able to stop it.

'A network card rootkit offers some very interesting features,' Delugré explains. 'A very stealthy communication end-point over the Ethernet link, which can intercept and forge network frames without the operating system knowing about it, or physical system memory access using DMA over the PCI link, leading to OS corruption.'

Worse, he claims that there would be 'no trace of the rootkit on the operating system, as it is being hidden inside the NIC.'

So far, there are no known attacks on the firmware of network cards of the type that Delugré is researching - but the implications of such an attack are profound. If an attacker could plant the rootkit into the firmware of a network card at the factory, it would infect thousands of systems regardless of virus protection and security features in their host operating system. Worse, there would be little way to detect or prevent the rootkit from transmitting or altering data, although Intrusion Detection Systems (IDS) on the network should provide some level of protection.

Are you concerned about the threat of hidden rootkits in your network card, or is Delugré over-egging the pudding? Share your thoughts over in the forums.


View this in the forums