Researchers Show Hacking Your Computer's BIOS is Child's Play

Advertisement
By NDTV Correspondent | Updated: 23 March 2015 12:22 IST

Two security researchers have demonstrated an easy way to attack the BIOS chips on millions of PCs in under two minutes, undermining all physical and software security and potentially allowing encrypted data including passwords to be stolen. The two suggest that this technique has most likely already been used by the US National Security Agency.

In a talk titled How Many Million BIOSes Would You Like to Infect at this year's CanSecWest conference, researchers Corey Kallenberg and Xeno Kovah showed how vulnerable the UEFI BIOS implementations on all modern motherboards are. The problem, they said, is made even worse because users rarely patch their BIOS chips when updates are released by manufacturers.

Advertisement

The UEFI BIOS on modern PCs is a miniature operating system itself, and is invisible to desktop antimalware programs. By taking control of it, attackers can either disable a PC entirely or subvert its functions. What's more dangerous is that direct access to data in memory is possible, which means attackers can extract encryption keys, passwords, and other data even when so-called secure operating systems are used.

Even those using the Tails OS on a secure read-only medium, as popularised by Edward Snowden in his handling of leaked government files, would be vulnerable since the attack happens at a lower level than the OS. The victim would never even know he or she had been compromised.

The duo, who founded the firmware-focused security company LegbaCore, showed off a proof-of-concept attack called LightEater, which affects all motherboard vendors and system integrators thanks to the high degree of similarity in code between UEFI BIOS implementations. The attack breaks into a System Management Mode (SMM) which provides deeper access than even administrator and root modes.

LightEater was able to compromise a variety of PCs from different vendors, all in under two minutes. Some Gigabyte motherboards were found to have particularly bad flaws in their access control security, but in all cases the primary fault was that BIOSes are nearly always unpatched.

Advertisement

Kallenberg and Kovah are marketing diagnostic tools to manufacturers in order to help them scan for such vulnerabilities and hopefully then create patches. However they are reasonably certain that the NSA and other similarly equipped agencies have been exploiting this vulnerability for a long time.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Everything We Know About the Nothing Phone 4b
  2. Vivo Y500 4G Makes Global Debut With an 8,100mAh Battery: See Price
  3. Samsung Galaxy Z Fold 8 Series, Galaxy Flip 8 Price Leaked Ahead of Debut
  4. Best Amazon Prime Day Laptop Deals for Students
  5. Moto G77 Power Listing Confirms Key Specifications Before July 8 Debut
  6. Xiaomi 18 Pro Max Prototype Leaked With Dual 200MP Cameras, 100W Charging
  1. Bitcoin Trades Near Two-Week High as Crypto Investor Sentiment Improves
  2. iOS 27 System Prompt Reportedly Hints at Apple’s New Smart Wearable With Two Cameras
  3. Xiaomi Civi Series Discontinued With No Next-Generation Model Planned, Claims Tipster
  4. Apple’s Foldable iPhone to Hit Shelves Later Than Anticipated Due to ‘Manufacturing Challenges’, Analyst Claims
  5. Samsung Galaxy F70 Pro Bluetooth SIG Listing Suggests Its Launch Might Be Right Around the Corner
  6. iPhone Air 2 Design Leaked in New Renders That Point to Dual 48-Megapixel Cameras
  7. Vivo X300e Key Specifications Leaked; Snapdragon 8 Gen 5, 50-Megapixel Zeiss Camera Tipped
  8. Vivo Y500 4G Launched With 8,100mAh Battery, 50-Megapixel Rear Camera: Price, Specifications
  9. Moto G77 Power Listed on Company's Website With Key Specifications Before July 8 Debut
  10. Samsung Galaxy Z Fold 8, Galaxy Fold 8 Ultra, Galaxy Flip 8, Watch 9 Prices Leaked Online Ahead of Launch
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.