32

I have a machine that I suspect to be compromised and am installing a new OS from a usb. I know that there have been cases of malware surviving this, and even BIOS-reflashing, and something about the malware hiding on other firmware. But how common is it (or how hard is it for someone/something to hide on other firmware)? Even if it is common/plausible, is there even anything that can be done about it (apart from, like, buying a new one, but I'd rather not). If there is, how?

GammaGames
  • 103
  • 3
CoolName
  • 331
  • 2
  • 5

1 Answers1

27

Basically yes, you're right to worry. However, it's not the garden variety adversary that has that kind of capabilities... Also more and more update mechanisms are protected by a signature check, and — save an attacker having physical access to your machine — are pretty tough nuts to crack. Brand-name machines (Lenovo, HP, Dell...) often have solutions to upgrade all firmwares at once (UEFI firmware included) and should give you peace of mind.

On an assembled system, it's a pain to identify all flashable components and locate updates for all of them, but it is doable...

Bruno Rohée
  • 5,221
  • 28
  • 39
  • 1
    Thank you! :D - but just for clarification, does this mean I shouldn't flash firmware if an attacker hasn't gotten physical 'flesh-hands-on' access, or should I do it anyway? – CoolName Jun 02 '22 at 12:19
  • 2
    If your electricity supply is reliable it cannot hurt, and there are possibly bug fixes you'll benefit from... – Bruno Rohée Jun 02 '22 at 12:20
  • Aight. Will do. Again, thank you, you the best. – CoolName Jun 02 '22 at 12:22
  • 11
    And BTW your question is not dumb at all, it's a pretty common headache about what to do with machines post compromise or post compromise suspicion, and many entities get it wrong. – Bruno Rohée Jun 02 '22 at 12:25
  • 2
    Oh, wait, one more thing: The probably-compromised machine has been sharing network with all other devices I own, or have easy access to, at some point during which i suspect it was compromised and the router set-up was pretty insecure (by routersecurity.org standards), so I'm thinking, what if the malware spread to the router and then from there to everything else, making everything compromised. Then maybe that could spread to whatever firmware (or whatever other tool I'm gonna need for the firmware flashing) I download to that device or from that router. Is there some easy-fix, or do I (1/2) – CoolName Jun 02 '22 at 12:33
  • 1
    have to find someone else to borrow from / buy something that I can download whatever I need for the firmware and stuffs from. (2/2) – CoolName Jun 02 '22 at 12:34
  • 6
    Downloading and flashing the USB stick from a known good machine on a (presumably) uncompromised network should be enough. But yes everyone of your machine that shared a network with a compromised machine possibly is compromised itself. – Bruno Rohée Jun 02 '22 at 13:07
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/136766/discussion-between-coolname-and-bruno-rohee). – CoolName Jun 02 '22 at 13:08
  • 4
    Note that there've been documented cases of attackers modifying update tools to _claim_ that they successfully applied a firmware update but only actually change the version number without doing anything else. But I wouldn't expect that to be a common case. – Charles Duffy Jun 03 '22 at 14:02
  • 3
    Though, I wouldn't _really_ have a piece of mind that flashing the BIOS will get rid of malware installed in said BIOS (as malware could have tampered with flashing code in it, and thus just fake flashing or allowing flashing and reinstalling itself afterwards). Only way to be **sure** really is to _nuke it from orbit_ (or at least desolder chips and reprogram them in external programmator) – Matija Nalis Jun 04 '22 at 13:47
  • @MatijaNalis That's why I'm interrested in https://security.stackexchange.com/questions/262231/detecting-bios-changes-on-pc, there may be a way to dump various firmwares in a reliable way (e.g. TPM has TPM2_FirmwareRead, there could be an equivalent for other firmwares). – Bruno Rohée Jun 07 '22 at 08:35