Hardware Exploits and Bugs
These are attacks on computer systems and networks
based on exploiting hardware design or manufacturing bugs,
or "not playing by the rules" in dealing with the hardware.
The idea of violating the "rules" by freezing the
semiconductors or overwriting Ethernet firmware data
seems analogous to the very common software vulnerabilities
caused by not fully validating user input.
Well, maybe not just analogous, maybe we should consider
frigid liquids or Firewire signals or Ethernet signals as
user-supplied input just like packet contents or form data
submitted to web servers.
What makes these different is that we don't generally
have control of the hardware design and manufacturing.
Yes, you could choose to buy an Ethernet card or CPU or
motherboard from a different manufacturer,
but you have to choose from what the existing market.
Furthermore, while there are
some interesting open-source hardware projects,
they are the exception and do not generally provide
the features and performance needed.
Enthusiasts must not forget that the features required by
corporations and government agencies include
a well-known and trusted hardware manufacturer.
Modify the BIOS firmware:
There was concern back in 2006 about an
ACPI/BIOS based attack
"Researcher Demonstrates Hardware Backdoor",
software collection Rakshasa can reflash firmware,
Dark Reading July 2012.
Researcher creates proof-of-concept malware that infects BIOS, network cards,
also on Rakshasa.
"New Malware Can Bypass BIOS Security",
can fool a host's Trusted Platform Module into thinking
that the BIOS firmware is clean when it isn't,
Dark Reading May 2013.
"Research Into BIOS Attacks Underscores Their Danger",
Dark Reading Nov 2013.
Does Computrace / Absolute Track / LoJack deserve the
title of rootkit or backdoor?
Computrace Product Feature Matrix
Absolute Software BIOS and Firmware
list for product lines of
Acer, ASUS, Dell, Fujitsu, Gammatech,
Gateway, General Dynamics, Getac, HP/Compaq,
Lenovo, Mobile Demand, Motion, Panasonic,
Samsung, Toshiba, and Xplore.
Deactivate the rootkit —
Balck Hat Vegas 2009
of anti-theft technology providers.
The BIOS-Embedded Anti-Theft Persistent
Agent that Couldn't: Handling the
Hacking the Extensible Firmware Interface
Turn off the NX bit while running:
The NX bit, also called the XD bit,
is used by CPUs to enforce memory segregation into
instructions versus data.
Intel calls it XD for eXecute Disable,
AMD calls it Enhanced Virus Protection,
and ARM processors call it XN for eXecute Never.
This feature is enabled as a BIOS setting, and so it
would appear to be down in the hardware where it might
appear that neither applications nor the operating
system can reach it.
The NX bit is simply a hardware feature that
may or may not be available.
Even if available, the operating system
may not use it.
For example, in Windows, Data Execution Prevention
or DEP is Microsoft's name for support of this
technology in the operating system.
explains how to turn it for for specific programs
or for all programs.
See the Wikipedia page on
the NX bit
for detailed descriptions of the technology and its
support on various combinations of
operating systems and processors.
Modify the TPM (Trusted Platform Module) chip:
In February, 2010, Christopher Tarnovsky announced
a successful hardware exploit of an Infineon TPM chip.
Modify the processing hardware:
University of Illinois researchers exploited a system
by modifying its processing hardware.
With Linux running on a programmable LEON processor,
based on Sun's Sparc design,
they changed 1,341 of the over 1 million logic gates.
A carefully crafted network packet injected the
malicious firmware, and the attacker could then
login as a legitimate user.
Note that this would require a processor programmed with
an OS with malicious hooks —
this seems far-fetched but US DOD warned of this very
attack in February 2005 because a shift toward
overseas integrated circuit manufacturing
could present a security problem.
This was reported at the Usenix Workshop on Large-Scale
Exploits and Emergent Threats in April 2008,
and described in
this IDG News article.
"Stealthy Dopant-Level Hardward Trojans",
a paper discussing how to tamper with logic gates
by changing the doping of one transistor.
This sabotage would be undetectable by optical
inspection or functional testing.
Freeze the memory:
Princeton researchers reported
cold boot attacks — literally cold boot.
The problem — sensitive information such as
passwords used for file system encryption and
some file contents themselves may remain in RAM
for surprising amounts of time, especially if
the RAM is chilled.
Break in through the Firewire port:
is a tool where the attacker connects a Linux machine
to the Firewire port.
The attacker gets full read-write access to memory
and the tool deactivates Window's password protection
residing in local memory.
Steal passwords, drop malware on the system, and
Similar hacks have been demonstrated against Linux
and MacOS X.
Break in through the network interface hardware:
There's been some work on attacking the firmware on
network interface cards, some of which focuses on
permanently damaging the card.
But more interesting work looks at attacking the
NICs on a firewall so they do PCI-to-PCI data
transfers, moving information down at a hardware
level where firewalls don't look.
There is speculation this might allow reading
the disk device through its PCI-based controller.
See this discussion,
an excerpt from the Robust Open Source
Come in through the back door provided by IPMI:
The IPMI or Intelligent Platform Management Interface
protocol provides remote management for servers.
An embedded server called the BMC or Baseboard
Management Controller is installed on
The BMC typically runs Linux on its own small CPU
with memory and storage, and runs independently of
the operating system or hypervisor you think of as
being installed directly on the system.
IPMI and the BMC provide networked access to the
hardware even when the system is powered down.
badBIOS — Real or Not?
The badBIOS story appeared in October, 2013.
Dragos Ruiu told about
very advanced malware that infected both Mac and PC hardware,
reflashing the BIOS, UEFI, or EFI firmware,
spreading via ultrasound or signals from software
traveling in USB memory sticks that were merely plugged
in but never mounted..
Compilation of Ruiu's observations
Ars Technica 31 Oct 2013,
"Meet 'badBIOS,' the mysterious Mac and PC malware
that jumps airgaps"
InfoWorld 1 Nov 2013,
"BadBIOS: Next-gen malware or digital myth?"
Ars Technica 5 Nov 2013,
"Researcher skepticism grows over badBIOS
InfoWorld 12 Nov 2013,
"4 reasons BadBIOS isn't real"
People following this story fall into a few
different camps. Many believe everything he
says — or at least most of it — is
Others think he's perpetrating a huge social
engineering experiment, to see what he can get
the world and the media to swallow.
A third camp believes he's well-intentioned,
but misguided due to security paranoia
nurtured through the years.
A few even think we're witnessing the public
mental breakdown of a beloved figure.
They point out that paranoid schizophrenics
often claim to be targeted by hidden
communication no one else can hear.
To be honest, I've found myself in all these
camps since the story broke, though I'm
leaning toward those who think Ruiu is
well-intentioned, but perhaps seeing too
much of what he wants to see.
Is Your Hardware Really What You Think It Is?
There have been stories of counterfeit hardware from
Cisco modules down to integrated circuits for some time.
The first thing I noticed explaining just how these parts
get into the parts supply stream was this
"How counterfeit, defective computer components
from China are getting into U.S. warplanes
Given the horror stories it contains of entirely unmonitored
suppliers chosen for U.S. military parts based largely if not
entirely on their status as "disadvantaged",
"woman and minority owned", and so on,
I can see why the government didn't explain
the details immediately....
Even If You Have AMD Hardware,
Is It Really What You Thought It Was?
All AMD processors made during 2000-2010 included
a secret debugging feature well outside the
standard x86 architecture definition.
All processors starting with the Athlon XP have a
firmware-controlled feature that can put the CPU
into debugging mode.
the article the The Register
for an overview,
the announcement by the discoverer
for far more details, and
of undocumented Machine Specific Registers in AMD processors.
If the hardware won't even do what it's supposed to,
there are big problems!
There were some interesting short articles about
Intel Core 2 bugs, see
for the articles, and also see the
background on Intel's quiet patch release.
Affected CPUs were the
Core 2 Duo E4000/E6000, Core 2 Quad Q6600,
Core 2 Xtreme QX6800, QX6700, and QX6800.
Remember the Pentium CPU's that were bad
at floating-point division?
For some Pentium CPU's, a block of machine code
0xF00F will just plain halt it.
Virtualization / Emulation Bugs
is a virtualization product that used to be from Innobox,
which was purchased by Sun, which was purchased by Oracle.
See this message
from the OpenBSD project leader reporting that
CPU registers become corrupted under VirtualBox.
"We don't know how other operating system products
continue running when the userland ecx register
gets clobbered on a return from a page fault,
but at least people should be aware that there
is likely some security risk from running that
That VM does not emulate the x86 correctly,
See my page on
Violating Virtualization Security
for more information on Type 1 and Type 2 virtualization
vulnerabilities, VM escape, the use of malicious hypervisors,