February 28, 2007 9:12 AM PST
PC hardware can pose rootkit threat
Every component in a PC, such as graphics cards, DVD drives and batteries, has some memory space for the software that runs it, called firmware. Miscreants could use this space to hide malicious code that would load the next time the PC boots, John Heasman, research director at NGS Software, said in a presentation at this week's Black Hat DC event here.
"This is an important area and people should be concerned about this," Heasman said. "Software security is getting better, yet we run increasingly complicated hardware. Unless we address hardware security, we're leaving an interesting avenue for attack."
Malicious code delivered via the memory on hardware components poses a rootkit threat since it will run on the PC before the operating system loads, Heasman said. This likely will hide it from security software and other protection mechanisms, he added. Such low-level malicious code is known as a rootkit.
Moreover, because the malicious code is stored on the hardware component and not a PC's hard disk, reinstalling the operating system or otherwise wiping the disk won't remove the threat.
In his research, Heasman focused on graphics cards inserted in the PCI, PCI Express or AGP slots on a PC motherboard. He found that it is possible to load a few kilobytes of additional code onto the memory of such cards. An attacker could do this by tricking the user into opening a malicious file, for example, he said.
"The PCI bus was developed by Intel in the 1990s. And as we all know, security wasn't in high respects at that time," Heasman said. "On a well-run network, administrators know which machines are on their network, but do they know what PCI devices are on their network? In most cases I'd imagine that the answer is no."
The concept Heasman presented is not new. Other security researchers have highlighted the risk before. And the industry has responded through the Trusted Computing Group and the Trusted Platform Module, which performs additional checks. However, the Trusted Platform Module isn't on every PC and its capabilities aren't always used, Heasman noted.
For increased protection, Heasman recommends scanning the memory on PC expansion cards and other hardware components and analyzing what the code stored there does.
10 commentsJoin the conversation! Add your comment