Suppose the UEFI BIOS is infected. The storage device is encrypted, there is no network access to the system, and RAM is encrypted. Is there any writable storage that an infected UEFI can write to where it can store the screenshots that it had recorded?
Asked
Active
Viewed 79 times
1
-
UEFI can "take screenshots" but not access RAM? Or access the storage media? – schroeder Dec 02 '21 at 10:00
-
1The contents of the screen are only bytes on RAM, on the main board or the GPU. To take a screenshot you definitely have to access RAM. And if the BIOS can read the RAM, it can read any encryption key protecting anything. – ThoriumBR Dec 02 '21 at 10:10
-
The UEFI boot partition can't be encrypted. Things can be stored there, although it's typically pretty small. If you are using a TPM with your disk encryption, it should be able to prevent booting if your UEFI is modified. – user10489 Dec 02 '21 at 12:23
-
@user10489 but if it can take a screenshot, then it's booted. – schroeder Dec 03 '21 at 15:37
1 Answers
1
Theoretically you can store data on each writable storage attached to the system like the Bios chip itself, EEPROMs on attached USB devices or NICs and other peripherals. If this is enough to store several screenshots depends on the individual chips. Most full disk encryption solutions let some parts of the disk unencrypted. Also encryption does not make your device unwritable. Depending on where you write you may just get data corruption or no immediately visible effect. The malware might also have the capability to get the encryption key for the disk either from RAM or while you are typing the password. Side channels would also be a possibility for storing/exfiltrating data.
Emanuel
- 36
- 1