A multi-year effort to prevent hackers from altering computers while they boot up has largely failed because of lax application of preventive steps, researchers say, despite disclosures that flaws are being exploited. In the latest sign that the problem persists, researchers at the federally funded MITRE lab said this week that many customers of Intel Corp still had not adopted revised security designs Intel distributed in March after the MITRE team found new vulnerabilities in the start-up process.
That could mean many newer Windows computers remain exposed, the MITRE team told Reuters ahead of a presentation at the Black Hat security conference in Las Vegas next week. Intel's point person on the issue, Bruce Monroe, said he did not know how many suppliers and computer makers had followed Intel's recommendations.
"We're not privy to whether they've fixed it or not," Monroe said. "We asked them to let us know." The stubborn glitches illustrates how such well-funded spying programs as those exposed by former National Security Agency contractor Edward Snowden can continue to succeed against targets that depend on a complex supply chain.
Long before Snowden's documents began appearing the media, professional technicians and US officials were concerned about the vulnerabilities that left computers severely exposed as they are turned on. Years ago, then-US National Security Agency Director Keith Alexander privately urged the chief executives of major American technology companies to do something about the boot-up procedure known as the Basic Input/Output System, or BIOS. BIOS relies on firmware, or permanent software that ships with computers.
Because the start-up code is given more authority than the operating system, hackers who break into that code can make major changes to programs and hide evidence of their presence. Lodging there also all but guarantees what the security industry calls persistence - the ability to remain inside even after a computer is turned off and rebooted. Intel, Microsoft Corp and other companies promoted a successor system known as the Unified Extensible Firmware Interface that includes a feature called "secure boot," which checks for digital signatures before running code. Microsoft's Windows 8 operating system has embraced UEFI and secure boot, bringing the hardened approach to more than 60 million new computers.
Even as that rollout was accelerating, though, evidence accumulated that attacks similar to those theorised by researchers were actually under way. In 2011, several research firms identified one such piece of malicious software, called Mebromi, that primarily attacked Chinese computers with a type of BIOS from leading supplier Phoenix Technologies Ltd.
Early last year, Reuters saw a catalogue from a US defense contractor that included a product, offered at more than $100,000, for incapacitating target computers by attacking BIOS and other critical elements. And in December, Der Spiegel reported that a leaked internal NSA catalogue described a tool called DeityBounce that attacked the BIOS of Dell Inc servers. That came months after a presentation at last year's Black Hat security conference in which MITRE researchers including Corey Kallenberg and Xeno Kovah broke into Dell's boot-up process.