What is disk encryption worth? Threat of proprietary Bios, SMM, optionrom, TPM etc?

Question

Supposing there is private/secret data on a machine (i.e a x86 arch) the most reasonable thing to me would be to encrypt this data, so to protect it.

I understand that the purpose of secured,safe,untampered & secret data is only served when the key/passphrase is kept safe. Also I know that, as there is software necessary for the de-/encryption I have to some degree trust this software (i.e. need to trust linux kernel, gnu software, LUKS framework for linux-based disk encryption. etc.). Being mostly open source an autid of the software mentioned above might seem at least possible.

Still what is with the PC BIOS software? The most common thing is that it is a proprietary (closed source) peace of code. Theoretically and I think practically there is a good change that some malware in the PC BIOS is setting up a keylogger --> passphare is captured --> data safety is nil. (right?)

Also I have just started hearing (with some shock) about the x86 feature of the Secured Management Mode SMM which it seems can be exploited to work in a bluepill fashion with some rootkit. Also again this could do arbitrary mischief and of course seems to break my encryption purpose by logging the keys.

Even worse I wonder about the optionrom thing in the BIOS. To what I understand the PC Bios would load and execute code from a device (like a network card chip) and execute(!!!) it. So at worst a chinese/american/german (name any other untrusted country/organisation of your choice) could manifacture devices as some kind of computer virus (using this optionrom feature).

With all that I really wonder about the value of disk encryption if there is so much unkown and danger before the (maybe trusted - because open source) linux kernel runs.

Honestly if I was to create a rootkit I would also seek to put(or anchor) it somewhere in the TPM, PCBIOS, optionroms, kernel etc. Only for the kernel there is some trust.

I would be very happy to hear your thoughts.

Good questions like:

• How to check the integrity of my BIOS? or
• Tamper-proof BIOS password & settings storage with Trusted Platform Module?

give insight mostly about how to keep PC BIOS free/save from malware? etc, but my paranoia is also to not know what the BIOS does (closed source) in the first place.

some Update

About the threat from changing/tampering the BIOS code I wonder if the linuxBIOS or coreboot(www.coreboot.org) projects do not show both the possibility to modify bios by (also malware) own code and the option to do this on purpose for security reasons. After all a selfwritten or at second best open source BIOS seems doable as the things BIOS do are not "the world" (just some initialization work). So I still fear that -given the hardware documentation or reverse engineering- it is doable to create a malware bios and deploy it (see flashrom.org tool)

Update: Another source showing the problem of proprietary firmware/hardware is http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Answer 1

Your question essentially boils down to risk management. The simplest way to analyse a particular risk is to see where it falls in terms of the following three categories:

• Probability - What's the chance that this risk will become a problem?
• Impact - If a problem occurs due to this risk, how much of a problem is it?
• Cost - How much will it cost to reduce this risk probability or impact to an acceptable level?

Note that cost is not just monetary - it includes time, effort, convenience, etc.

Most risks cannot ever be fully mitigated. The goal is to find an acceptable balance between probability, impact and cost. Now let's look specifically at your issue:

Probability
In reality, the probability of an attacker installing fake BIOS and TPM chips is tiny. Anecdotally, I can't quote a single case in the history of infosec where a real attacker has done this. As far as I'm aware, it's only ever been demonstrated in lab conditions. Your real risk is having a hardware keylogger device installed between the keyboard and USB or PS/2 port. How likely is it that an attacker will have physical access? The attacker has a risk model too - are they likely to risk of being caught for the sake of what you're protecting? Be realistic here - are you protecting a photo sharing web service used by 20 people, or a bank with tens of thousands of customers? I'd argue that the probability of BIOS / TPM attacks is minuscule, but the probability of hardware keyloggers is low to medium, depending on your storage and access circumstances.

Impact
What do you stand to lose? What's the absolute maximum fiscal loss, including projected sales losses due to loss of confidence? How much are you likely to have to pay in overtime when your staff are cleaning up after a breach? Might you be sued or fined for breach of data protection laws, such as DPA 1998? From your projected loss model, how much has it cost other companies in similar circumstances? Remember that your loss risk should be relative to business operations as a whole. Think in terms of assets - what do you consider to be important? Is it your source code? Is it your financial records? Your product design documents? What at-risk information are you most concerned about losing? I'd guess you're looking at high impact here, since keyloggers would allow an attacker to gain almost uninhibited access to your network.

Cost
How much will it cost you to bring the risk or impact down to an acceptable level? Note that mitigation methods may not have to be implemented across every machine. Can proper access controls and auditing be used? Is your physical security strong enough?

A few potential ways to reduce risk of tampering:

• Don't give staff access to areas they don't need to be! If you use RFID key fobs for keyless entry, don't allow the CEO's PA to use theirs to get into the server room.
• Locks on computer cases, to prevent internal tampering.
• Place computer towers inside locked cabinets, to make it difficult to interfere with keyboard cables.
• Remove or disable USB slots on servers and computers that don't need them.
• Laptops kept in a locked cabinet when not in use.
• Use Kensington locks on laptops and other sensitive equipment.
• Use security tape to seal servers and other high-risk systems.
• Use high quality locks. This one scares me more than anything else - I recently learnt to pick them and the cheap ones are way too easy to break. A decent Yale lock will keep an skilled intruder busy for 3-4 minutes. Cheap non-brand ones can take less than 15 seconds. Maglocks alone aren't sufficient, and can be defeated with a home-made electromagnet, a small circuit, and a laptop battery.
• Have your alarms and CCTV systems tested frequently, and prioritise the placement of security sensors (e.g. PIRs, cameras, magnetic entry sensors, etc) in high risk areas.

All in all, you could probably bring this risk down to an acceptable level by implementing 4 or 5 of those ideas.

Answer 2

I'm going to come right out and say that you are right in that your BIOS could be compromised, in fact your entire computer could be designed with the expressed purpose of siphoning up every single piece of information on it. Additionally there's absolutely no way you could ever be sure otherwise. There's no tool set or method that will ever give you peace of mind here.

The fact is that it's extremely unlikely that even if your hardware was able to be taken over that someone with that capability would want to do it to you. Subjecting a bios and making it work with software based threats is difficult, very difficult in fact, and unnecessary as pure software-based malware that uses unpatched vulnerabilities in OS or loaded software will do just as well and is much easier.

The chances are that your biggest threat is from data loss due to theft or misplacement of your device, and that's what encryption is there to protect you against. It won't protect your data from being siphoned off by malware while the machine is on and the data unencrypted, but it will if you leave your laptop in a taxi.