2

I might be mistaken, but it seems the firmware (UEFI) needs to load some stuff from the disk to be able to do anything really interesting, like loading some advanced tools or loading the OS. Yet firmware infections are often associated with the concept of "persistent infections", where wiping the disk won't help. But what can an infected firmware do on its own, after you have wiped the whole disk? Obviously malicious firmware can load all sorts of malicious stuff, but first it must find that stuff somewhere. Maybe the firmware memory is large enough to contain malicious code to inject somewhere later in the boot process, but I'm not sure there is enough memory available to do anything interesting that actually works.

So what can a malicious firmware after the disk has been totally wiped (every partition has been overwritten) and another clean OS has been installed?

reed
  • 15,398
  • 6
  • 43
  • 64
  • 3
    Deleting everything on the hard drive doesn't delete the things in the firmware, so it can do everything it could do before you deleted the stuff on the hard drive. – Vit Apr 02 '19 at 18:22
  • 1
    Firmware is not just boot. It keeps running after the OS is loaded. It runs at higher privilege level than the OS, the OS or hypervisor can't interfere with it. Intel ME, also firmware, just runs on separate processors in a separate chip on the motherboard, but it has access to RAM and to network. It can do things like scan all RAM periodically to find the Chrome password manager and send all of it over the network to someone. – Z.T. Apr 02 '19 at 22:12

1 Answers1

2

The simpliest malicious firmware can do is to add or replace existing executable files, to make OS load it on boot. This is how LoJack/CompuTrace anti-theft software works.

ValdikSS
  • 21
  • 1