-1

The ASUS motherboard in an older PC I own failed. I purchased a replacement from a vendor on eBay, shipped from China (Shenzhen). Only after receiving the motherboard did it occur to me to wonder about the security of the motherboard, and in particular the BIOS installed.

Am I being unnecessarily paranoid?

My main concern is that while I can use the motherboard's built-in utility to re-flash the BIOS before I ever boot the replacement motherboard to any OS, the BIOS always will have oversight of the flashing process. If the BIOS is compromised, all bets are off. I have no way to force it to accept a known-good version of the BIOS.

This concern seems to be reinforced by the Information Security Q&As Malware that can survive BIOS re-flashing and Could once infected machine be ever trusted again?. Though, I had to chuckle at the IMHO-plausible statement in the latter that:

"A possible answer is that if the attacker managed to plant some malware which resisted a complete machine reinstall, then he probably deserves to stay there. At least, this piece of malware has been written by someone who is technically competent".

I feel that there are points of consideration that should allay my fears:

  • I am not a target of interest. A vendor installing malware on a used motherboard I purchased would be doing so only speculatively.
  • There are dozens of different BIOS vendors, and countless versions of BIOS firmware, taking into account all the different motherboard manufacturers and the various models they produce. It's probably impractical to design malware for all these different configurations, so the possibility of malware existing for this particular motherboard seems relatively low (though of course not impossible).
  • If "used motherboards with malware in the BIOS" were a thing at all, it seems like I would've read something in the various computing-related news about even one example of this. But I haven't. Even the originally reported "BadBIOS" that prompted the first cited question above has not been verified, and I'm not aware of any other reports of BIOS malware in the wild that resists overwriting during re-flashing, never mind this being a concern with respect to motherboards purchased as used/salvage.

And of course, there's the suggestion in that other Information Security answer that even if the motherboard is in fact infected with such a virus, that I can at least take comfort in the fact that achieving that level of infection requires enough technical competence that it's likely it at least works as intended, even if maliciously. :)

Are these points valid reasons to go ahead and trust the used motherboard? If not, is there some means by which I could reliably verify that the known-good BIOS I attempt to install does in fact get flashed to the firmware correctly?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Peter Duniho
  • 107
  • 3
  • 5
    If your only indicator of potential malfeasance is that you bought the product from China, you should probably have a think about your personal biases. – Polynomial Aug 31 '20 at 00:39
  • 1
    While all your concerns are certainly possible, unless you are a high enough profile to be a Nation State Target, the most likely risk is receiving a defective product and not being able to get your money back. A little monitoring of the network traffic *from another machine* should catch rogue connections. There are numerous BIOS checking programs that may make you feel better. – user10216038 Aug 31 '20 at 00:40
  • @user10216038: _"There are numerous BIOS checking programs that may make you feel better"_ -- it would help if you would elaborate on that, given that that would directly address a key element of my question. – Peter Duniho Aug 31 '20 at 00:46
  • Try Googling for *bios checker checksum* – user10216038 Aug 31 '20 at 00:52
  • 1
    @Polynomial: _"If your only indicator of potential malfeasance is that you bought the product from China"_ -- _only_ indicator? Hardly. Pre-installed malware would be a concern regardless of who was selling the used board. But there is plenty of evidence that there are nation-sponsored malware attacks. I'd have the same concern if I lived in Iran and had purchased a motherboard from a seller in the US. Your accusation of bias is irrelevant and unconstructive. – Peter Duniho Aug 31 '20 at 00:52
  • @user10216038: those search terms didn't turn up anything other than what I'd already found on my own in previous searches. In particular, I found nothing that suggests how to validate BIOS already installed on a machine. Indeed, responses to e.g. https://security.stackexchange.com/questions/107603/is-it-possible-to-determine-if-the-bios-has-been-modified-between-two-points-in support the fear that when the BIOS is compromised, there is no reliable way to guarantee it hasn't been modified. I take it that you yourself are not personally aware of any useful techniques. – Peter Duniho Aug 31 '20 at 00:55
  • Perhaps something like *Universal BIOS Backup Toolkit* may help. But you'll still need a known baseline for comparison. – user10216038 Aug 31 '20 at 03:59
  • 4
    @PeterDuniho then, if this specific locale is not a factor, why is it mentioned? Why is the locale a factor at all? Your title and your intro are all about your unease about the *locale*, which makes your bias absolutely relevant. And since you have already found the posts here that talk about the *technical* risks, issues and mitigations, and you still want to ask the question, with specific mention about the *locale*, then it does, indeed, appear that your trust is not about the technology, but the nationality of those who sold it to you. – schroeder Aug 31 '20 at 08:28
  • If this specific locale is not a factor, then this question is a duplicate of many questions here asking about trusting and mitigating risks of hardware in general. – schroeder Aug 31 '20 at 08:29
  • 1) It is a fallacy to think that only "people of interest" are the only targets. High volumes of easy to crack targets are their own value. 2) it is not necessary to make custom malicious BIOS for everything, just for the most commonly purchased items 3) malicious firmware/hardware is, in fact, a known issue and has impacted commercial electronics and high-end networking equipment for over a decade. – schroeder Aug 31 '20 at 08:39
  • So, can you trust it? Sure. You trust lots of hardware. At some point, you need to trust something or forego using technology built by someone else. But that's a decision, not an assessment. Is it a risk? Yes. And that risk assessment is found in the links you identified. – schroeder Aug 31 '20 at 08:42
  • If you wish to remove this post from your account, there is a process to do that. Since there is an answer with votes, you are blocked from deleting the post outright. Would you like to remove this post from your account? – schroeder Aug 31 '20 at 19:22
  • @schroeder: _"Would you like to remove this post from your account?"_ -- of course I would. That's why I flagged it. The flag was rejected, with the reason that _"Deletion is not necessary"_. Whether a moderator feels deletion is "necessary" is beside the point. The question was poorly received, elicited a lot of off-topic, irrelevant criticism, and no useful answers. It's clear it's not going to help anyone at all, never mind me, and as the author I've already asked for it to be deleted. The rejection of my flag was uncalled for, just adding more unfriendliness to the existing responses. – Peter Duniho Aug 31 '20 at 19:27
  • But, as I mentioned, it cannot be deleted just because you don't want it, because there is an answer with positive upvotes. This is the process we can go through. Remember that all posts here are submitted under creative commons, and I, as a mod, have to balance a few different needs than just your own. – schroeder Aug 31 '20 at 19:29
  • @schroeder: _"I, as a mod, have to balance a few different needs than just your own"_ -- frankly, my request to delete has nothing to do with my own needs. Deletion of this question doesn't affect _me_ in any way whatsoever. But it does remove from the site a question that will clutter up search results without providing (according to the community, yourself included) any positive value to the site. _That_ is the reason it should be deleted. A single up-vote on an answer you yourself agree is not useful is no reason to keep this around. – Peter Duniho Aug 31 '20 at 19:32
  • You are making incorrect assumptions about my thoughts about the answer's value just because I critiqued one point within it. Just because something has one flaw does not mean that the whole thing has no value. Life is not binary good/bad. – schroeder Aug 31 '20 at 19:34
  • yes and not because there are Hardware backdoor more info https://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/#gref – simon Sep 02 '20 at 09:49

1 Answers1

1

Trust is scalable. If you flash the BIOS, you could probably trust it to within whatever tolerances you like - perhaps you would personally trust it completely at that point. Only you can do your risk assessment. You said you're not a target. Maybe you're still a little uncomfortable, so maybe you trust it with credit card payments but not log into your bank or any true PII (personally identifiable information like ssn, etc)

Please take into account that vulnerabilities deliberately left behind by a manufacturer are open to potential exploitation by other actors; a corrupt action by a factory employee on multiple systems could be sold to a cybercrime gang for botnet purposes, so "target" might become irrelevant.

Maybe initially set it up on a little isolated private network with a packet sniffer going, and see if it tries to "call home" before using it anywhere open.

user18471
  • 91
  • 2