Sponsored: Stop data brokers from exposing your personal information. 😤 Go to aura.com/thiojoe to get a 14-day free trial and see how much of yours is being sold.
The attack would however still work with a logo stored on the EFI partition or NVRAM. Often NVRam and EEPROM are combined into a single flash chip in which case making it read-only wouldn't work. Also other parts of the firmware like intel microcode, USB/Thunderbold peripherals etc. can have security issues which would be baked into the motherboard after shipping. It's basically a 'pick your poison' type of situation.
All of the firmware level malware could be solved by just putting a physical write enable jumper on the motherboard. The EEPROM is read-only by default, if you want to flash the chip, you just move the jumper and reset it when you're done. It's not like you're updating the UEFI/BIOS every week
1) pretty sure this used to be a thing 2) laptops aren't designed to be opened 3) companies want us to be fully reliant on them for all services, so anything that straightforward is anathema to them. 😢
What I loved was an old mobo back in my Vista days (yes, laugh at me) that had tiny switches on it, like lightswitches, instead of jumpers. Flip swich, flash bios, flip switch back. No chance of mangling a jumper with my very clumsy fingers, no chance of dropping it in the carpet to be forever lost. Don't know why those never caught on.
Being able to change the logo is so important that it is well worth adding security issues to implement that feature we all have been waiting for since 1981. Too bad my 10 year old computer is so fast that I never see the logo because it boots faster than the time the monitor needs to show an image after detecting the video signal.
you can change that, in BIOS you can set a delay so it waits before loading into windows. This is useful so you have a chance to get into BIOS instead of mashing "del".
You forgot to mention another way to protect this attack from working if your UEFI has the option to disable the boot logo. Disabling it will effectively eliminate this attack vector. This is specially useful for older motherboards that will never get a proper bios update to tackle this issue.
@@AccessRealty-p7k on most non-corporate desktop motherboards you have the option to disable the boot logo on the boot section of the UEFI menu. Some laptops (specially gaming brands) also have this option.
@@AccessRealty-p7k It's not the UEFI you disable, but the boot logo. First get into the UEFI/Bios by tapping F2 while the computer starts or maybe it's a different key for you. It's also possible access to the Bios was disabled if you bought it from an overly eager computer store.
I updated my BIOS today, before watching this video. Now that I look back to it, it does list "Addresses potential UEFI vulnerabilities (LogoFAIL)" as one of the notes.
Yea my Gigabyte Z170X ultra Gaming Motherboard is dinosur age old. The only update it had was the microcode in 2018. That was it. I have that update but HIGHLY doubt they will update mines again.
@@kolz4ever1980 and if you can't afford another one right now (as Im on ODSP and barely able to eat as it is with less than a dollar to save a month)? I have an ASUS Z170 chipset board too that was donated to me (no code updates for this yet...) Its to replace a GB Z68X board I've had since 2011...
Similar has been possible forever... as long as the BIOS/UEFI is writable from the OS it's a vulnerability -writable BIOS was a thing for a very long time before UEFI existed
I'm one of those that always keeps my bios and other firmware updated to the latest versions. However, I often wait a week or two to watch for complaints of stuff breaking before installing, lol. Thanks again for another awesome bit of news. We love you for always looking out for us and also for all the cool stuff you show us.
@@OmegaBlack999 id like to wait just to be safe but i just have this itch knowing im on outdated software i update immediately(i also just enjoy messing with my pc even if its just a bios update) but I havent been a PC gamer for long, do bad bios updates really happen regularly?
@@ArdaSReal bad BIOS updates don't happen all of the time. It's just a really big deal when it does bc it can brick your mobo, or create a vulnerability, or cause instability, or performance reductions if something is just a little off. Updating your BIOS is generally a great thing, though, giving your mobo increased stability and compatibility with higher frequency RAM and more stable clocks, higher performance, etc. I always update all my drivers, again, I just usually wait a week or two to watch for potentially negative effects to be corrected or diagnosed, even though they are rare.
Oh, did it happen again? Is some malware writing some bad things into the ROM again? Eh, some people in the computer industry never learn. This is far from the first similar case. Remember the CIH Chernobyl virus? This problem has existed since at least the 90s. And there is only one way to protect against this - to make the Read-Only-Memory truly Read-Only! (and place a switch/jumper to enable write, disabled by default).
Not only didn't they learn anything, they store the stupid ring -1 Intel ME in the same NVRAM flash easily rewritable, I literally reflashed it so I could run code inside my chipset, it was fun hacking that part of the hardware.
CIH only effected certain rarer mainboards from gigabyte and some oems. And making the BIOS unrewritable isn't going to solve anything, matter in fact its only going to cause more issues if new exploits are found in lets say... certain feature sets? Enjoy buying an updated motherboard every CPU revision.
@@OctoomyYTOfficial You should learn to read. He specifically said that the motherboards should have a switch to enable writing. In other words, it would be a PHYSICAL block that the user can remove and reinstate at will, blocking the remote access hacks while not affecting the actual user at all (well, barely affecting him...as you'd still need to switch it on and off now and then).
as long as you are careful and prepare well updating a bios is fairy straight forward. HP is a bit of a pain though because you can only do it via a windows executable script that isnt "expandable". I just had a HP laptop with "Optima" tech that died bad. Took the better half of 2 days to fix it. Wondering if this was the exploit used on it as the owner is an outspoken Chaldean who trolls the "middle eastern" PalTalk community...
This honestly sounds like an exploit that could be easily patched by OEM'S. My worry is for computers or motherboards no longer receiving bios updates.
But as a Linux user, I’ve historically received updates before the exploits they patch make headlines like this. For all I know, it’s already been patched for my machine.
By contract they MUST provide critical updates. They do not make the patches, is intel o AMD, they only include the patch in the respective firmware file and make it aviable
@mamailo2011 I have an evga board (z690 dark) and the bios team and motherboard devision at evga is finished. I wonder what happens here when they don't have any developers any more.
lol, intel boot guard, then your amazing motherboard manufacturer uses the same NVRAM for both the intel firmware where the boot guard resides and everything else. To save costs. They also forget to segment write protection in the NVRAM. AMD has the same problem. You can reflash the stock bios but that requires tools because the motherboard manufacturers don't usually even provide a pin header for easily connecting the flashing equipment to the NVRAM. So you might even end up needing to desolder the stupid microchip to flash it. That's if you aren't an unlucky notebook consumer whose manufacturer decided an external NVRAM was too costly and just embedded it in the SoC, then that computer is basically trash, unless they enable you to use JTAG on the SoC, which they usually don't. I wonder why PCs can't be easily JTAGged like smartphones can (well, the ones which aren't that fruit company). It should be a requirement for manufacturers to provide pin headers to easily flash the NVRAM.
@@monad_tcp many motherboards include a bios flash feature that as far as I know doesn't even need to execute an existing bios to work (I assume they have some dedicated hardware just for this feature), so shouldn't that always be able to reflash the bios?
Someone I knew in the late 2000s who was a very good programmer, told me that he had made a virus that wouldn't let you start your computer and basically bricked it. He said what it did, when you turned on the computer, you would see the startup logo screen/BIOS and then the computer would just turn off, preventing you using the computer at all. I had no idea if he actually did make it or not but it sounds something very similar to what you are mentioning with this malware hack.
@@cutekittypetter it was not a close kept secret, the infamous chernobyl did that way back in the day, it was easier back them to have access to the hardware because WindowsXP was a swiss cheese and there was less diversity in the way the BIOS could be written. But even later, It would be possible to still do that attack but it would be expensive as it would require customization for every motherboard type and manufacturer as they now are the weak point as they made the hardware more resilient to cheap attacks, now their software is the weak link, you basically just need to find a way to do what their update driver does.
If it has a functionality to load a user-provided image file it might still be vulnerable, AND the update for firmware this old won't be released ever... Although if your BIOS is text-only, it is likely to have the image stored in raw headerless uncompressed bitmap which would mean that it's probably not possible to exploit However this also means that your BIOS might not have a fix for all the vulnerabilities found since its last update
@@chadfli Most PCs released since 2011 have UEFI. It's very likely you have a UEFI-based firmware which boots in legacy mode. This would likely still be affected.
I am more interested in knowing what such childish move can steal... ... Hehehehe~ Any PC or equipment I used which can be exposed to such risks... ... are more or less for casual purposes. And not even attached with banking details... ... As usual, they are welcomed to steal my gaming data, watch me game on, see what I surf... ... just don't interfere with my gaming and surfing pleasure. As for the real important 'secrets'... ... Hehehehehehehehehehe... ... They can try. Why not.
"Seems like letting the OS write to the BIOS was a really, really bad idea" - If the OS could not write to the BIOS, then there would be no way to update the BIOS other than by physically replacing the chip, which would be even worse. The problem is not letting the OS write to the BIOS. The problem is that companies do not place a strong enough emphasis on security (and, in this case, they apparently outsourced a trivial function which they could easily have written themselves, thereby creating the vulnerability).
@@nomore6167 what you’re saying is not true. Updating the bios is never done via the operating system. It is done by inserting a USB key directly into the motherboard and instructing the write from a file on that USB. It is done before the operating system is loaded. It can also be done over the network by sending the file via the NIC but also in that case it is done before the Operating system is loaded.
@@Necropheliac "what you’re saying is not true. [Updating the bios] is done by inserting a USB key directly into the motherboard... It is done before the operating system is loaded" - No, it is YOU who are wrong. You clearly have no clue about what you speak. BIOS updating can POTENTIALLY be done by going into the BIOS and selecting to update from a file, *IF* it is designed that way and you have compatible hardware. However, updating the BIOS by running an executable from the OS has been done for decades. Also, I love how you're contradicting yourself by first saying "Seems like letting the OS write to the BIOS was a really, really bad idea" and then claiming that BIOS updates are never performed by the OS.
De-emphasizing "If the OS could not write to the BIOS, then there would be no way to update the BIOS other than by physically replacing the chip." Emphasizing "What you’re saying is not true. Updating the bios . . . is done by inserting a USB key directly into the motherboard and instructing the write from a file on that USB. It is done before the operating system is loaded." Kindest regards, friends and neighbours.
So much for UEFI being waaaaaay safer then the old BIOS chips... Of course it's becouse of an oversight on the development team, checking ALL code for lagit signature should be standard
yeah and eufi are actualy dumber then bios, they can load eufi driver wich is better (for things like usb driver) then bios but everything else is just fucked. The boot system is trash, its literaly stored in vram so no power = reset (its realy bad on laptop with removed battery, i run my server with mbr mode because of that and yes my server is a laptop), EUFI driver can literaly modify everything, that even include windows kernel thing. And since eufi driver can be close source (as oppose to linux driver wich are required to be open source if they want to be included by default and access some part of the interface) we don't know what they are doing and they could be harmfull. Proprietary tech is still kill tech industry.
"Of course it's becouse of an oversight on the development team, checking ALL code for lagit signature should be standard" - Lack of signature on an image file is not the big problem here. The problem is the OTHER vulnerabilities in the image display function which allow this exploit to occur (most likely, buffer overflow vulnerabilities). If the image display function was secure, then the only thing a rogue image file could do was cause a vulgar image to be displayed.
6:50 Secure Boot does NOT protect the EFI System Partition. Secure Boot protects against loading arbitrary EFI executables on that partition, e.g. an OS boot loader. It does so by checking any EFI executable against a signature store in the firmware. If the EFI executable is unsigned or the signature is not in the list of trusted signatures, the UEFI will refuse to boot that executable. The EFI System Partition itself is fair game because it's a FAT file system (most firmware implementations don't support anything else) which has no concept of any sort of access rights management like NTFS does to prevent anything from writing to it.
You can protect the ESP by making it read-only using diskpart, when using Windows. I sadly don't know how this is done in Linux (yet). The problem here is, I don't know how Windows will react to this, if the ESP also has the BCD on it and it can't write to it.
@@ZipplyZane -You are not wrong, but making the ESP read-only protects against attacks on the User Privilege level. Just because the ESP is marked as "hidden", doesn't mean, it's not existant. Everyone can write to it, even users under the "Guest" Privilege (the lowest priv level), let that sink in.- Sure, if malware expects the ESP read-only, there will be code to make it writeable. And it still needs Admin to do that. Unless you remove the right to edit drives from your account... (Edited, because i got them mixed up)
@@Sypaka this is incorrect, Windows does restrict access to the EFI system partition to Administrators. (this is a specifically hardcoded check for the EFI system partition only.) there was a time period where MS fucked up and removed this check, but this got fixed eventually
3:12 This is not true (entirely). Secure boot is not designed to verify bios. It's for verifying efi binaries and OpROMs (uefi fimrware in external devices like dGPU). Veryfing bios is possible by verifying digital signature when trying to update it (by running version of bios). It's not standardized through as far I know
Yes, it cannot read or even know of what is happening in ring-minus-whatever by design. there is a lot of code by different manufacturers and sources which runs absolutely stealthily, uncheckable by AVs, and some of it gets hacked once in a while. x86_64 is a mess of corporate backdoors, and there is no fixing it since that functionality is packaged by Intel/AMD and required for CPU to even function at all, same with basic firmware functions that the computer cannot possibly work without.
@@jwhite5008 Looks like you have not heard about coreboot. It can disable ME/PSP. Or by using other vulnerabilities modify their firmware. It would also ofc involve reverse engineering. Very hard but not impossible as you said
@@BxOxSxS Uh, no, nononononono. PSP cannot be disabled or bypassed. It is *the* root of trust during initial bringup, responsible for reading the rest of AGESA from SPI NOR, ranging the DDR links, and copying the UEFI firmware capsule from SPI NOR into DDR memory. The x64 cores are held in reset until this point. PSP and SMU are both simple ARM cores, and can (and do) check and validate the signatures while loading the objects out of NOR. Once the x64 cores are freed and the UEFI firmware begins to start, is where coreboot has a chance to slip in (but only on certain amd-and-google-signed chromebook platforms) and handle responding analogously to the UEFI capsule. The PSP communicates through a shared memory mailbox with a doorbell flag. Very early AGESA versions simply told the PSP to go to sleep until the next full powercycle, which corresponds to the "PSP_DISABLE" option seen in some AM4 boards' CBS settings setup menu. Newer versions make use of the PSP during runtime to handle memory region encryption, being responsible for setting up the keys used for SME zones (from memory, up to sixteen.) and no longer responds to the "PSP_DISABLE" message. It *IS* possible, as you speculate, to mix and match some aspects of the AGESA firmware directory, and send the PSP to sleep, change the mailbox address, or doorbell id, resulting in ignoring further messaging in the firmware, but a linux kernel will rediscover the mailbox and try to set it up for SME (with all zero keys, effectively disabling it) during kernel boot. LogoFail and Boothole both rely on the fact that the firmware contains an actual directory listing section. And we're not even getting into SMBIOS exports or SMM handlers in ACPI tables, or the nastiness that lets platform vendors embed whole PE segments for windows to blindly nod and run during every boot. (Lenovo, i'm looking straight at you.) -- that's partially what jwhite5008 was on about. ME is a different story altogether, based on it's generation. You're mostly correct in your assertation above, in it's case. As it's a completely sidecar processor like a BMC, and does not control anything about intel's early bringup, it can be pruned in a number of ways, from the easy (delete it's firmware sections entirely) to the tinfoilhat (use the 'poorly/discretely documented' disable mode that exists because the NSA demanded a way to turn ME off, aka "High Assurance" mode ((LOL!!))) to the massively paranoid "I'm replacing my SPI NOR flash part with a smaller device so the ME section is incapable of being reflashed upon my hardware as it no longer fits". Plus the forks like oreboot and HEADS and stuff to run on it like tails and qubes... I'm not this paranoid myself but I figured I should understand what the fuss was about before pointing fingers at glass houses and declaring that emperor has no clothes on.
I had to clean up the mess around first, and second week of February. A lot of the PCs running on Windows 10, 11, and Linux were affected. Most of my colleagues realised something was wrong, and shut down their computers immediately. But some of them didn't realise they were under attack. This resulted in malicious updates of BIOS firmware, and in some cases SSD firmware as well. In first step Windows Hello/UAC, defender were affected. In second step BIOS. In few cases settings of (home) router were updated as well. As a person who has been in computer science since 90s, I firmly believe that the firmware should not be able to be updated.
@@futuza the issue with the virus that I faced was it didn't "maliciously" rewrote/update the UEFI firmware. After affecting the UAC, it gave a notification that firmware update was available. UAC, defender, antiviruses were already affected, so the user/OS didn't find the update to be fake/malicious. Basically, user did the installation. Under such scenario a physical jumper would be pointless.
@@kiran9s Well if you're able to trick your user into flipping the switch then yeah it wouldn't do anything, but I think that would at least deter some, as having to open up their desktop/laptop and move a switch would require a lot more effort than most end-users would be willing to go to and cause them to think twice. (You might even padlock a desktop so only IT could unlock it without bypassing the physical lock). Hopefully some would call their IT department for help at that point and raise some red flags before it was really too late. But yeah a physical switch wouldn't make it hack proof just more difficult. Although if ROM were truly unwrittable it would also be unable to be patched so pre-existing vulnerabilities might not be possible to fix without replacing hardware.
can you tell more about that case? thats quite interesting. is there a reason for targeting these people? a firmware infection is even with logofail a special and individual case
@@Yadlina I don't think it was targeted as such. I believe the the virus didn't want to damage/disrupt anything (at least it didn't when we found it). I think all it wanted was data, a sophisticated malware.
Thanks a lot Thio for this! I just updated the BIOSes of my Gigabyte X570 Aorus Master. ...and proceed to have all my settings wiped off, including my fan curves. But it was worth it for this vulnerability alone.
for future, you can save your bios profile settings on your hard drive whenever you are updating the bios saving inside the bios profiles also may work, but on some mobos these are also wiped during the flash, only on some though in most of cases, you can use profiles from older bios versions on new bios versions just fine but if there was massive change in upgraded version - the usage of old bios profile may bring a problem or to not work as it should
A note about BIOS firmware updates. I can't say for certain for all Motherboard manufacturers, but Gigabyte at least is able to detect when the wrong firmware has been used, and won't allow it. Accidentally ran into this problem because of similar models of the same motherboard I have. Be super certain you have the right one otherwise, because some might not be so great at detecting the firmware as valid or invalid. Also, while in the past it was usually common practice to go through each bios update in order until finally updated to the most recent firmware; now-a-days you can usually just update to the newest firmware without a problem. BUT! You really should read through their notes on what is being changed, because sometimes there is something being done in one, that needs to be done first, before you can update to any other afterwards. Kind of rare, but it does happen. Just make sure to copy the existing firmware first before loading any new one, and you will at least have a backup for just in case. Oh, and one more thing. Some manufacturers allow for the disabling of the boot logo. Do that. Even if you update, disable it anyways. It's not really necessary to have in the first place beyond aesthetics, and disabling it makes it so the parser can't run the code in that image file.
"Gigabyte at least is able to detect when the wrong firmware has been used" do you know how they do it ? is it just a chemsum verification or its actualy check for compatibility ?
@@cylian91 🤣🤣🤣 Well actually, it was something he download that let CIH in, they only figured that out after the replacement computers anti virus cought it
I honestly had this happen back in 1999 of course my parents computer... I bought a new award BIOS chip pop- in chip replacement (Imagine that now) pulled the CMOS bat. But years later, it was buried in the MBR drive I kept plugging in to it. I sure LEARNED from that butt whooping !
I doubled my internet speed, with nothing other than 2 batteries, a cut Ethernet cable, and uncut cable, some electrical tape, and a human sacrifice, and all thanks to this guys' videos
Once malware gets onto the ESP or, worse, motherboard, your chances of removing it without repartitioning your disk, reinstalling your OS (or replacing it with a different OS), or, in the worst case, reflashing your UEFI ROM are gone.
i mean, you can usually just delete the .efi file within the ESP partition without having to repartition, but it being able to flash the EFI rom is scary, however its also very hardware specific, so a wide range attack is unlikely
@null7639 0 fill is not necessary. ESP is required to be FAT32 by uefi specification, thus if the fat is lost, it can no longer find the EFI file, making it safe to just clear the fat
@tyroniebalonie Unlikely, most motherboards who have dual bios need to be flashed separately in case something goes horrible wrong. Some even allow you to hardware flash without needing a bios at all, which is great.
One way to at least know if you got hit with that attack is to change your boot image to something custom yourself, other that the stock motherboard logo. Then if you get the virus it will probably change the image back to the stock one so you will easily noticed that something happened.
I thought an out of bound will be possile: The Image parsing Process is hit by the special crafted image data which lead to a one time writing to a neighbbour memory area. so if you change the logo, it does not matter, because malware code was written the first time when the logo failed.
@@Yadlina Good point. But it may be a lot of additional work depending on the nature of the exploit. So replacing a logo (and then disabling it) is still a reasonable precaution. The question is what do you do if you see a manufacturer's logo again? Was it reset by a legitimate update fixing another potential exploit or malware? And if it's the latter then you may have quite a problem of deleting it. Once he exploit runs you cannot rely on anything in the computer being real - not the firmware settings - not changing the logo back - possibly not even emergency settings reset because the image is in non-resettable NAND together with the firmware code itself.
yes, its even higher then riot's vengard (witch is technically a eufi driver, yes they run it higher then windows's kernel level but they also have an interface that is in the kernel)
They've brought it back. Back in the late 80's to early 90's there was one that wiped your bios. The reason it worked was a jumper setting on the motherboard. You had the option of allowing the bios to be programmed or locked and as a default came as programmable. Gigabyte came out with a dual bios to cope with that one being programmable and the other permanently fixed with a jumper that allowed you to overwrite the programmable bios with the original. Also back then the chip that held the bios was capable of being removed and reprogrammed. Guess that's all gone now and with laptop's they never had that protection except in bios and guess the default setting. This is the reason mobile phones have a ROM and separate user space for updates and your files, apps etc
@@Darkk6969I think I also saw someone else mention it would still work despite that being disabled since the code for the logo still resides in the uefi or soemthing like tht
Given that my hardware is well past any manufacturer’s support date (my desktop is 4th gen Core), I don’t exactly have much choice but to run the UEFI as is.
Attack1(EFI partition logo) shouldn't matter because that can be removed by wiping your disk (like any other virus). Attack3(SPI flasher) is actually very relevant for second-hand hardware because the seller or a previous owner could have done that to the board.
Although I updated my BIOS only a couple of months back, I immediately went to check if there was a new BIOS even before finishing your video and there was, so I updated immediately. It is always a nerve wracking experience updating the BIOS as you never know if at that particular point in time is when some idiot is going to crash their car into the power pole and take out the power, or an unscheduled power shutdown will occur. At least now with Dual BIOS if that does happen I can at least get back up and running, but in the years before dual bios was a thing I hated doing bios updates.
Most of my older systems have bootblock recovery. If the main BIOS image is bad it has just enough functionality built in to load a replacement from floppy. On newer boards without floppy support a USB drive can be used.
Yeah. I'll definitely be looking deeper into this. Thanks. One note: if somehow, power is lost during a BIOS/UEFI firmware flash, depending on the hardware, it's possible to have a firmware backup restore what was lost, but not all hardware configs support this, but my older DELL, which I no longer have (stolen!), supported this, and I know for a fact, that my current PC, also a DELL, supports this. However, if it does not, there usually is a way to reset the firmware, but it requires a lot of technical knowledge and probably two, three grand worth of specialized equipment most people won't have, because there's no way to do it with just a connected keyboard anymore, not since Windows XP, anyway. As for this weird exploit, why is it even a thing?
It doesn't cost anywhere near two thousand dollars for the equipment to reset a BIOS chip. You just need a programmer and a way to connect it to the chip. I've done it twice myself. First time was with a $35 Raspberry Pi and the second time was with a $9 FTDI adapter. Worst case you need to fully remove the BIOS chip from the board but I did this with a standard soldering iron.
Thanks for the information. Slightly frightened, I checked version of my actual "BIOS" and It includes a fix for this exploit. I generally update the firmware and software of all devices, precisely because it addresses not only bug fixes, but also various exploits.
Reminds me of that one time, my cousin had to ask someone else. When I visited him, all his programs were reverted to shit versions. Even Winamp was reverted to 1.x - I installed Winamp 3.x prior this "I know what I do" dude. Took me 4 hours to get his PC back to work properly. When I asked why that dude reinstalled Winamp, my cousin said, that guy said "thats not Winamp, Winamp XP doesn't exist". This guy literally didn't know what a Winamp Skin is.
My computer is literally immune to that, its physically immune. I just severed the write trace going to the EPROM where the NVRAM is stored, its impossible for software to do that. I didn't do it for security but because I burned my secondary NVRAM and had to make a hack to keep the motherboard working.
@@stayfunsteven2207 UEFI (Unified Extensible Firmware Interface) is not the same as the traditional BIOS (Basic Input/Output System), although it serves a similar purpose as the software interface between the operating system and the firmware of a computer. UEFI is a modern replacement for BIOS, offering several advantages such as faster boot times, support for larger hard drives, a user-friendly graphical interface, and advanced security features like Secure Boot. While BIOS operates in 16-bit mode, UEFI can run in 32-bit or 64-bit mode, allowing for a more robust and feature-rich environment before the operating system loads.
Good job. You had me captivated the whole video and i'm so ADD i barely make it 2 minutes. BIOS is always the included in my mind when I look for updates on my computers, not just OS or Installed Apps. Thanks!
@@Natzawa no, I think that's the only edge it's got. It's just telling people about an unexploited vulnerability. It doesn't count as a warning since there is no danger.
Because in any case it requires privilege escalation... anyway in most all scenarios it would be pointless to brick a computer you just spent time getting access to.
Back in the day, we (a bunch of defense programmers with new computers having a certain feature) found a way of getting around the BIOS protection of the boot sector. It was obscure, but not difficult, and, as one can imagine, the bad guys also soon caught on. I fully admit that I was one of those people who never thought that computer viruses would ever be the problem that they became.
Despite being born into electronics, I was too much of a pussy to attempt a BIOS update by myself. Even though I've never bricked any of my devices and even though I've installed custom firmware on all of my consoles (which is basically the same thing as a BIOS update), I was always scared of fucking it up or something going wrong, like a power cut occuring at the most inopportune time. But after this video, I finally worked up the courage to do it. The update process itself took considerably longer than it did on some UA-cam videos, plus I had a mini-stroke when the TV kept losing and finding the signal for half a minute, but all's well that ends well. My computer is safe and I learned something new. Thanks, TJ!
I need to pluck up courage later if there is one available otherwise keep doing offline backups until I get a replacement which I don't need right now.
An i correct in assuming that the standard "don't get a virus" advice - don't download sketchy files, don't open sketchy emails, virus scan everything you download, etc. - are still useful for preventing the virus from getting into a computer in the first place? Or is it possible to fall victim to this stuff without any user interaction?
yes, this in itself would require user interaction. however in case there's a new exploit found that runs code without the user's interaction, you could still be infected with this.
Well we must do that at least till we get a proper firmware patch, until then: stay vigilant, keep running your third party anti-virus software in the background with all the active modules enabled, don't visit sketchy webpages, keep your web browser updated and obviously, only download your firmwares from the official manufacturer and so on.
Using secure folder/controlled access on windows is very important, even if you install weird nonsense it will prevent anything you didn't whitelist from writing to those critical places.
if you really have a bios infection, forget the system. you cannot trust any of your hardware devices at that time. even if you can sucessfully reflash the bios to normal, the nic or gpu bios could be infected too. if you are confronted with such problems, chances are there are serious psychopats chasing on you. (or a 3 letter agency is interested in you, but in this case you most likely wont detect the infection)
@@Yadlina LOL. Next you'll be claiming such a virus can jump the air gap and infect your system from the speakers of an adjacent PC. Kids these days...
@@raylopez99what are you dreamin about? assume you have a firmware level infection and think about the implications of that fact. this is not an ordinary malware infection and is well crafted to one individual system. just only you cannot comprehend the implications should not leading you to such a bold (and ludicrous) statement
@@Yadlina You don't understand either sarcasm nor the actual virus that can jump an airgap (Google this). Study more son and when you're at my level (I code for fun, C# is my language) let's continue the conversation.
Good info Joe, thanks! I have never updated my BIOS. Every time I've ever looked into it the methods/instructions/guidelines are so convoluted and broken I could not understand wtf they were talking about, so it was never worth my risking trying to unravel the spaghetti-sentences to do it. So, I will probably not do it now either, as I can't see how things have become easier to understand. Computer info doesn't seem to go in that direction.
"It's a hack that replace image on a startup with a malicious code" Wait you can change startup image? i wonder what should i change my image to? (later in a video) MSI users are safe because startup image cannot be changed in these motherboards darn... well at least I'm safe
I am beginning to think there are only two real problems in our world today: 1. Windows, and 2. Microsoft's attempts to prevent their own cancerous products from being cured.
Whenever I think I have a virus I wipe the hard drive, flash the bios and reinstall windows. I don't mess around with it too much. When you computer starts acting up too much like not booting into the proper device or efi errors or cmos errors just do what i do and you will be clean. Pay atention to what you install on your machine. Do your homework before you install.
I've been doing lots of windows bootloader research in the last few years, which naturally overlaps with UEFI. I've found some interesting post-exploitation tricks that a bootkit could perform. At one point I successfully performed a proof of concept attack where changing some settings (programatically) causes all boot attempts to fail. The bootkit payload itself could work around this and allow boot to succeed, but booting from any known good (uncompromised) boot media would be impossible unless you know what was done and how to revert it.
It also accessing system level privileges at first glance, but next routine is where it turns tedious, as it comes upto the BIOS and just showing up a circle rotating
Back when I was having a lot of trouble with hacking, a favorite tactic seemed to be corrupting my BIOS firmware to prevent booting from USB in order to prevent use of rescue disks
Use a known good security suite (Norton, Bitdefender, etc.). These routinely check and guard the UEFI portion of the hard drive, in addition to monitoring actions of code running in your computer. Use a bios password, and not "password!" Mine won't allow any updates without it. Only update your bios with a flash file downloaded directly from your hardware manufacturer or the bios manufacturer. Never download or run software from the Internet unless it's from known good sources.
This just gives me a reason to update my bios on my lga 1200 system. They surprisingly released a version to fix this issue almost 3 years after the motherboard was released
I was using a technique like this for years to modify new bios updates for the PS4- a lot of the games I played like Surviving Mars, Autonauts, etc are direct PC ports. So the games still have the mouse & keyboard support, it was just that the system didn't. I did this so I could pre-load mouse & keyboard drivers to give the PS4 the software equivalent of legacy hardware support. Sadly, even with that, some games like Rimworld wouldn't recognize that a mouse was connected, even though it did see the keyboard. It's ALWAYS worth updating your PC's bios. Usually there are other changes that allow better leveraging of your PC's resources, improved RAM, CPU, or Integrated GPU clock speeds- etc, in addition to the more important security benefits. It should also be noted that many Laptop motherboard vendors stop supplying new bios updates just a few years after release- where as most desktop motherboard vendors continue for 5+ years.
In theory yes, unfortunately that would probably fail because it should normally check to see if the version # & or Build # is the same, & if so it will probably just tell you that it's already that version. It's worth a shot though, because if it won't accept it it should just cancel the operation before it actually starts to flash the chip.@@fjdi8whduw93d
Sponsored: Stop data brokers from exposing your personal information. 😤 Go to aura.com/thiojoe to get a 14-day free trial and see how much of yours is being sold.
What if your motherboard has dual uefi? Couldnt I just switch my uefi if one of them got compromised or does this infect both?
no
ew no
Would not be Suprised if DARPA and other 3 letter agenices i won't mention had this for decades yet somehow got in bad hands
ok (:
this is why it should be read only until a jumper is changed like the old days
Underrated comment
The attack would however still work with a logo stored on the EFI partition or NVRAM.
Often NVRam and EEPROM are combined into a single flash chip in which case making it read-only wouldn't work.
Also other parts of the firmware like intel microcode, USB/Thunderbold peripherals etc. can have security issues which would be baked into the motherboard after shipping. It's basically a 'pick your poison' type of situation.
*OEM's having 500 strokes per second at the thought*
Very practical solutions when you have edge boxes in the middle of nowhere and you need to remote flash.
Most UEFIs store the settings on a flash chip, so if you make it Read only you couldn't change settings.
All of the firmware level malware could be solved by just putting a physical write enable jumper on the motherboard. The EEPROM is read-only by default, if you want to flash the chip, you just move the jumper and reset it when you're done. It's not like you're updating the UEFI/BIOS every week
Yeah, why isn't this standard yet? Would love this on hard drives too
1) pretty sure this used to be a thing
2) laptops aren't designed to be opened
3) companies want us to be fully reliant on them for all services, so anything that straightforward is anathema to them. 😢
Yes, I dunno why they don't just do this with UEFI. They basically used to back in BIOS land. It'd be nice to have this option for ssds as well
What I loved was an old mobo back in my Vista days (yes, laugh at me) that had tiny switches on it, like lightswitches, instead of jumpers. Flip swich, flash bios, flip switch back. No chance of mangling a jumper with my very clumsy fingers, no chance of dropping it in the carpet to be forever lost. Don't know why those never caught on.
@@marenjones6665 -- Power users loved them. But penny pinching took over manufacturing. EVERY penny matters when making millions of some item.
Being able to change the logo is so important that it is well worth adding security issues to implement that feature we all have been waiting for since 1981. Too bad my 10 year old computer is so fast that I never see the logo because it boots faster than the time the monitor needs to show an image after detecting the video signal.
the irony
Samesies.
That's why I haven't messed with splash screen images in so long. My work assigned laptop is the only one I ever see the logo on anyway.
you can change that, in BIOS you can set a delay so it waits before loading into windows. This is useful so you have a chance to get into BIOS instead of mashing "del".
Why do you think that changing the logo is important? End user isn't usually interested in branding.
You forgot to mention another way to protect this attack from working if your UEFI has the option to disable the boot logo. Disabling it will effectively eliminate this attack vector. This is specially useful for older motherboards that will never get a proper bios update to tackle this issue.
Good tip. Quick and easy to do.
How do you disable the UEFI ?
Thank you 😊
@@AccessRealty-p7k on most non-corporate desktop motherboards you have the option to disable the boot logo on the boot section of the UEFI menu. Some laptops (specially gaming brands) also have this option.
@@AccessRealty-p7k It's not the UEFI you disable, but the boot logo. First get into the UEFI/Bios by tapping F2 while the computer starts or maybe it's a different key for you. It's also possible access to the Bios was disabled if you bought it from an overly eager computer store.
Well, my older computer doesn't even have an UEFI so it don't support the virus at all 😂
I updated my BIOS today, before watching this video.
Now that I look back to it, it does list "Addresses potential UEFI vulnerabilities (LogoFAIL)" as one of the notes.
HELL NAW
My thesis from 2012 is now in fruition. Thanks for this share gonna send this video to a few of people.
Let's see your thesis
My motherboard manufacturer hasn't relased an update in the past 3 years. Wonderful! :)
Yea my Gigabyte Z170X ultra Gaming Motherboard is dinosur age old. The only update it had was the microcode in 2018. That was it. I have that update but HIGHLY doubt they will update mines again.
time to update that relic you're pretending is a pc ;)
@@kolz4ever1980 and if you can't afford another one right now (as Im on ODSP and barely able to eat as it is with less than a dollar to save a month)? I have an ASUS Z170 chipset board too that was donated to me (no code updates for this yet...) Its to replace a GB Z68X board I've had since 2011...
Dont listen to that other guy,your pc is wonderful without any uodates whatsoever
@@joaoborgesrodriguesalves6554 😆 when did care bear bitching for out dated PCs that are ages old become a thing?
I called this *years* ago when UEFI first came about and I saw that there was going to be a link between the OS and "BIOS".
Similar has been possible forever... as long as the BIOS/UEFI is writable from the OS it's a vulnerability -writable BIOS was a thing for a very long time before UEFI existed
Thanks for keeping us well informed❤
I'm one of those that always keeps my bios and other firmware updated to the latest versions. However, I often wait a week or two to watch for complaints of stuff breaking before installing, lol.
Thanks again for another awesome bit of news. We love you for always looking out for us and also for all the cool stuff you show us.
@@OmegaBlack999 id like to wait just to be safe but i just have this itch knowing im on outdated software i update immediately(i also just enjoy messing with my pc even if its just a bios update) but I havent been a PC gamer for long, do bad bios updates really happen regularly?
@@ArdaSReal bad BIOS updates don't happen all of the time. It's just a really big deal when it does bc it can brick your mobo, or create a vulnerability, or cause instability, or performance reductions if something is just a little off.
Updating your BIOS is generally a great thing, though, giving your mobo increased stability and compatibility with higher frequency RAM and more stable clocks, higher performance, etc.
I always update all my drivers, again, I just usually wait a week or two to watch for potentially negative effects to be corrected or diagnosed, even though they are rare.
Oh, did it happen again? Is some malware writing some bad things into the ROM again? Eh, some people in the computer industry never learn. This is far from the first similar case. Remember the CIH Chernobyl virus? This problem has existed since at least the 90s. And there is only one way to protect against this - to make the Read-Only-Memory truly Read-Only! (and place a switch/jumper to enable write, disabled by default).
Not only didn't they learn anything, they store the stupid ring -1 Intel ME in the same NVRAM flash easily rewritable, I literally reflashed it so I could run code inside my chipset, it was fun hacking that part of the hardware.
CIH only effected certain rarer mainboards from gigabyte and some oems. And making the BIOS unrewritable isn't going to solve anything, matter in fact its only going to cause more issues if new exploits are found in lets say... certain feature sets? Enjoy buying an updated motherboard every CPU revision.
@@OctoomyYTOfficial If bios memory is read-only no virus will get inside. No virus will be found, that's all
The irony of having writable ROM (Read Only Memory) lol
@@OctoomyYTOfficial You should learn to read. He specifically said that the motherboards should have a switch to enable writing. In other words, it would be a PHYSICAL block that the user can remove and reinstate at will, blocking the remote access hacks while not affecting the actual user at all (well, barely affecting him...as you'd still need to switch it on and off now and then).
Thanks, I just updated the BIOS. HP had an update dated a week ago. I'm 63 and that's a scary update to do, But it only took a few minutes.
Hell yeah ✊🏽✊🏽
as long as you are careful and prepare well updating a bios is fairy straight forward. HP is a bit of a pain though because you can only do it via a windows executable script that isnt "expandable".
I just had a HP laptop with "Optima" tech that died bad. Took the better half of 2 days to fix it. Wondering if this was the exploit used on it as the owner is an outspoken Chaldean who trolls the "middle eastern" PalTalk community...
This honestly sounds like an exploit that could be easily patched by OEM'S. My worry is for computers or motherboards no longer receiving bios updates.
They tend to drag their feet. Getting a business grade laptop tends to expedite patching.
But as a Linux user, I’ve historically received updates before the exploits they patch make headlines like this. For all I know, it’s already been patched for my machine.
@@aycc-nbh7289It's not an exploit in the operating system. It's an exploit in UEFI. To patch it, you'd need an UEFI update.
By contract they MUST provide critical updates. They do not make the patches, is intel o AMD, they only include the patch in the respective firmware file and make it aviable
@mamailo2011 I have an evga board (z690 dark) and the bios team and motherboard devision at evga is finished. I wonder what happens here when they don't have any developers any more.
Two things:
1: Isn't Intel boot guard only for Intel? What about AMD users?
2: Can't you just reflash the stock bios to remove the virus?
Yes, and Mobo manufacturers already released fix for most models as new bios revisions
lol, intel boot guard, then your amazing motherboard manufacturer uses the same NVRAM for both the intel firmware where the boot guard resides and everything else. To save costs.
They also forget to segment write protection in the NVRAM.
AMD has the same problem.
You can reflash the stock bios but that requires tools because the motherboard manufacturers don't usually even provide a pin header for easily connecting the flashing equipment to the NVRAM. So you might even end up needing to desolder the stupid microchip to flash it.
That's if you aren't an unlucky notebook consumer whose manufacturer decided an external NVRAM was too costly and just embedded it in the SoC, then that computer is basically trash, unless they enable you to use JTAG on the SoC, which they usually don't.
I wonder why PCs can't be easily JTAGged like smartphones can (well, the ones which aren't that fruit company). It should be a requirement for manufacturers to provide pin headers to easily flash the NVRAM.
@@monad_tcp many motherboards include a bios flash feature that as far as I know doesn't even need to execute an existing bios to work (I assume they have some dedicated hardware just for this feature), so shouldn't that always be able to reflash the bios?
@@monad_tcp And very few motherboards have flashback like Asus does for some of their motherboards.
2. Probably not, since the malware could simply disallow any updates
Someone I knew in the late 2000s who was a very good programmer, told me that he had made a virus that wouldn't let you start your computer and basically bricked it. He said what it did, when you turned on the computer, you would see the startup logo screen/BIOS and then the computer would just turn off, preventing you using the computer at all. I had no idea if he actually did make it or not but it sounds something very similar to what you are mentioning with this malware hack.
Except back then there was no UEFI but yeah otherwise something familliar except how can a logo br malicious is another question
@@cutekittypetter it was not a close kept secret, the infamous chernobyl did that way back in the day, it was easier back them to have access to the hardware because WindowsXP was a swiss cheese and there was less diversity in the way the BIOS could be written.
But even later, It would be possible to still do that attack but it would be expensive as it would require customization for every motherboard type and manufacturer as they now are the weak point as they made the hardware more resilient to cheap attacks, now their software is the weak link, you basically just need to find a way to do what their update driver does.
The feds are gonna knock on your door now lmao
@@monad_tcp oooooh u right
@@monad_tcp wouldnt it be easier to just fabricate a short by connecting some pins with solder or something?
My old ass system still boots Windows 10 from a non-UEFI bios.
If it has a functionality to load a user-provided image file it might still be vulnerable, AND the update for firmware this old won't be released ever...
Although if your BIOS is text-only, it is likely to have the image stored in raw headerless uncompressed bitmap which would mean that it's probably not possible to exploit
However this also means that your BIOS might not have a fix for all the vulnerabilities found since its last update
mine is from 2012 and is a dell. no uefi at all. so imight be safe, pls confirm
@@chadfli Most PCs released since 2011 have UEFI. It's very likely you have a UEFI-based firmware which boots in legacy mode. This would likely still be affected.
@eDOC2020 jokes on me, my computer still has PhoenixBIOS.
@@spamburner9303 I have AwardBIOS on a few systems.
The people that figure this stuff out are VERY dedicated and VERY patient.
Thank you, this is the most important information I've come across this year by a long shot.
Sweet, this is the stuff I really find interesting!
I am more interested in knowing what such childish move can steal... ... Hehehehe~
Any PC or equipment I used which can be exposed to such risks... ... are more or less for casual purposes. And not even attached with banking details... ...
As usual, they are welcomed to steal my gaming data, watch me game on, see what I surf... ... just don't interfere with my gaming and surfing pleasure.
As for the real important 'secrets'... ... Hehehehehehehehehehe... ...
They can try. Why not.
Seems like letting the OS write to the BIOS was a really, really bad idea.
Emphasizing "Seems like letting the OS write to the BIOS was a really, really bad idea."
"Seems like letting the OS write to the BIOS was a really, really bad idea" - If the OS could not write to the BIOS, then there would be no way to update the BIOS other than by physically replacing the chip, which would be even worse. The problem is not letting the OS write to the BIOS. The problem is that companies do not place a strong enough emphasis on security (and, in this case, they apparently outsourced a trivial function which they could easily have written themselves, thereby creating the vulnerability).
@@nomore6167 what you’re saying is not true. Updating the bios is never done via the operating system. It is done by inserting a USB key directly into the motherboard and instructing the write from a file on that USB. It is done before the operating system is loaded. It can also be done over the network by sending the file via the NIC but also in that case it is done before the Operating system is loaded.
@@Necropheliac "what you’re saying is not true. [Updating the bios] is done by inserting a USB key directly into the motherboard... It is done before the operating system is loaded" - No, it is YOU who are wrong. You clearly have no clue about what you speak. BIOS updating can POTENTIALLY be done by going into the BIOS and selecting to update from a file, *IF* it is designed that way and you have compatible hardware. However, updating the BIOS by running an executable from the OS has been done for decades.
Also, I love how you're contradicting yourself by first saying "Seems like letting the OS write to the BIOS was a really, really bad idea" and then claiming that BIOS updates are never performed by the OS.
De-emphasizing "If the OS could not write to the BIOS, then there would be no way to update the BIOS other than by physically replacing the chip."
Emphasizing "What you’re saying is not true. Updating the bios . . . is done by inserting a USB key directly into the motherboard and instructing the write from a file on that USB. It is done before the operating system is loaded."
Kindest regards, friends and neighbours.
So much for UEFI being waaaaaay safer then the old BIOS chips...
Of course it's becouse of an oversight on the development team, checking ALL code for lagit signature should be standard
Knew this kinda thing would happen when I saw how complicated UEFI was compared to the old BIOS system.
yeah and eufi are actualy dumber then bios, they can load eufi driver wich is better (for things like usb driver) then bios but everything else is just fucked. The boot system is trash, its literaly stored in vram so no power = reset (its realy bad on laptop with removed battery, i run my server with mbr mode because of that and yes my server is a laptop), EUFI driver can literaly modify everything, that even include windows kernel thing. And since eufi driver can be close source (as oppose to linux driver wich are required to be open source if they want to be included by default and access some part of the interface) we don't know what they are doing and they could be harmfull.
Proprietary tech is still kill tech industry.
At some level it's all held together with chewing gum and bailing twine 🙈
It was just a matter of time ... Hate UEFI.
"Of course it's becouse of an oversight on the development team, checking ALL code for lagit signature should be standard" - Lack of signature on an image file is not the big problem here. The problem is the OTHER vulnerabilities in the image display function which allow this exploit to occur (most likely, buffer overflow vulnerabilities). If the image display function was secure, then the only thing a rogue image file could do was cause a vulgar image to be displayed.
6:50 Secure Boot does NOT protect the EFI System Partition. Secure Boot protects against loading arbitrary EFI executables on that partition, e.g. an OS boot loader. It does so by checking any EFI executable against a signature store in the firmware. If the EFI executable is unsigned or the signature is not in the list of trusted signatures, the UEFI will refuse to boot that executable. The EFI System Partition itself is fair game because it's a FAT file system (most firmware implementations don't support anything else) which has no concept of any sort of access rights management like NTFS does to prevent anything from writing to it.
Good to know 🧐
You can protect the ESP by making it read-only using diskpart, when using Windows. I sadly don't know how this is done in Linux (yet). The problem here is, I don't know how Windows will react to this, if the ESP also has the BCD on it and it can't write to it.
@@Sypaka If software can set it as read-only, then malware could set it as writeable.
@@ZipplyZane -You are not wrong, but making the ESP read-only protects against attacks on the User Privilege level. Just because the ESP is marked as "hidden", doesn't mean, it's not existant. Everyone can write to it, even users under the "Guest" Privilege (the lowest priv level), let that sink in.- Sure, if malware expects the ESP read-only, there will be code to make it writeable. And it still needs Admin to do that. Unless you remove the right to edit drives from your account... (Edited, because i got them mixed up)
@@Sypaka this is incorrect, Windows does restrict access to the EFI system partition to Administrators. (this is a specifically hardcoded check for the EFI system partition only.)
there was a time period where MS fucked up and removed this check, but this got fixed eventually
Bios needs to be standardized and open sourced completely via GPL3 across all platforms
So, Coreboot?
Chromebook moment
BIOSes and UEFIs are standardized.
Why GPL3 instead of GPL2?
UEFI is an open standard and there are plenty of open source implementations available. Proxmox actually uses one.
3:12 This is not true (entirely). Secure boot is not designed to verify bios. It's for verifying efi binaries and OpROMs (uefi fimrware in external devices like dGPU). Veryfing bios is possible by verifying digital signature when trying to update it (by running version of bios). It's not standardized through as far I know
Yes, it cannot read or even know of what is happening in ring-minus-whatever by design.
there is a lot of code by different manufacturers and sources which runs absolutely stealthily, uncheckable by AVs, and some of it gets hacked once in a while.
x86_64 is a mess of corporate backdoors, and there is no fixing it since that functionality is packaged by Intel/AMD and required for CPU to even function at all, same with basic firmware functions that the computer cannot possibly work without.
@@jwhite5008 Looks like you have not heard about coreboot. It can disable ME/PSP. Or by using other vulnerabilities modify their firmware. It would also ofc involve reverse engineering. Very hard but not impossible as you said
@@BxOxSxS Uh, no, nononononono. PSP cannot be disabled or bypassed. It is *the* root of trust during initial bringup, responsible for reading the rest of AGESA from SPI NOR, ranging the DDR links, and copying the UEFI firmware capsule from SPI NOR into DDR memory. The x64 cores are held in reset until this point. PSP and SMU are both simple ARM cores, and can (and do) check and validate the signatures while loading the objects out of NOR. Once the x64 cores are freed and the UEFI firmware begins to start, is where coreboot has a chance to slip in (but only on certain amd-and-google-signed chromebook platforms) and handle responding analogously to the UEFI capsule. The PSP communicates through a shared memory mailbox with a doorbell flag. Very early AGESA versions simply told the PSP to go to sleep until the next full powercycle, which corresponds to the "PSP_DISABLE" option seen in some AM4 boards' CBS settings setup menu. Newer versions make use of the PSP during runtime to handle memory region encryption, being responsible for setting up the keys used for SME zones (from memory, up to sixteen.) and no longer responds to the "PSP_DISABLE" message.
It *IS* possible, as you speculate, to mix and match some aspects of the AGESA firmware directory, and send the PSP to sleep, change the mailbox address, or doorbell id, resulting in ignoring further messaging in the firmware, but a linux kernel will rediscover the mailbox and try to set it up for SME (with all zero keys, effectively disabling it) during kernel boot.
LogoFail and Boothole both rely on the fact that the firmware contains an actual directory listing section.
And we're not even getting into SMBIOS exports or SMM handlers in ACPI tables, or the nastiness that lets platform vendors embed whole PE segments for windows to blindly nod and run during every boot. (Lenovo, i'm looking straight at you.) -- that's partially what jwhite5008 was on about.
ME is a different story altogether, based on it's generation. You're mostly correct in your assertation above, in it's case. As it's a completely sidecar processor like a BMC, and does not control anything about intel's early bringup, it can be pruned in a number of ways, from the easy (delete it's firmware sections entirely) to the tinfoilhat (use the 'poorly/discretely documented' disable mode that exists because the NSA demanded a way to turn ME off, aka "High Assurance" mode ((LOL!!))) to the massively paranoid "I'm replacing my SPI NOR flash part with a smaller device so the ME section is incapable of being reflashed upon my hardware as it no longer fits".
Plus the forks like oreboot and HEADS and stuff to run on it like tails and qubes...
I'm not this paranoid myself but I figured I should understand what the fuss was about before pointing fingers at glass houses and declaring that emperor has no clothes on.
Yes you could hash check versions like most secure firmware does
I had to clean up the mess around first, and second week of February. A lot of the PCs running on Windows 10, 11, and Linux were affected. Most of my colleagues realised something was wrong, and shut down their computers immediately. But some of them didn't realise they were under attack. This resulted in malicious updates of BIOS firmware, and in some cases SSD firmware as well.
In first step Windows Hello/UAC, defender were affected. In second step BIOS. In few cases settings of (home) router were updated as well.
As a person who has been in computer science since 90s, I firmly believe that the firmware should not be able to be updated.
At the very least I'd like a physical switch on the board that prevents it from being written to
@@futuza the issue with the virus that I faced was it didn't "maliciously" rewrote/update the UEFI firmware. After affecting the UAC, it gave a notification that firmware update was available. UAC, defender, antiviruses were already affected, so the user/OS didn't find the update to be fake/malicious. Basically, user did the installation. Under such scenario a physical jumper would be pointless.
@@kiran9s Well if you're able to trick your user into flipping the switch then yeah it wouldn't do anything, but I think that would at least deter some, as having to open up their desktop/laptop and move a switch would require a lot more effort than most end-users would be willing to go to and cause them to think twice. (You might even padlock a desktop so only IT could unlock it without bypassing the physical lock). Hopefully some would call their IT department for help at that point and raise some red flags before it was really too late. But yeah a physical switch wouldn't make it hack proof just more difficult.
Although if ROM were truly unwrittable it would also be unable to be patched so pre-existing vulnerabilities might not be possible to fix without replacing hardware.
can you tell more about that case? thats quite interesting. is there a reason for targeting these people? a firmware infection is even with logofail a special and individual case
@@Yadlina I don't think it was targeted as such. I believe the the virus didn't want to damage/disrupt anything (at least it didn't when we found it). I think all it wanted was data, a sophisticated malware.
Thanks a lot Thio for this! I just updated the BIOSes of my Gigabyte X570 Aorus Master.
...and proceed to have all my settings wiped off, including my fan curves. But it was worth it for this vulnerability alone.
yes thanks Thio for the PSA, and me too. and don't forget your xmp settings
for future, you can save your bios profile settings on your hard drive whenever you are updating the bios
saving inside the bios profiles also may work, but on some mobos these are also wiped during the flash, only on some though
in most of cases, you can use profiles from older bios versions on new bios versions just fine
but if there was massive change in upgraded version - the usage of old bios profile may bring a problem or to not work as it should
@@cskillers1I know about it. I just... only thought about it after the fact... when everything was gone.
@@Lebon19 yeah happens man, happened to me too
A note about BIOS firmware updates. I can't say for certain for all Motherboard manufacturers, but Gigabyte at least is able to detect when the wrong firmware has been used, and won't allow it. Accidentally ran into this problem because of similar models of the same motherboard I have. Be super certain you have the right one otherwise, because some might not be so great at detecting the firmware as valid or invalid. Also, while in the past it was usually common practice to go through each bios update in order until finally updated to the most recent firmware; now-a-days you can usually just update to the newest firmware without a problem. BUT! You really should read through their notes on what is being changed, because sometimes there is something being done in one, that needs to be done first, before you can update to any other afterwards. Kind of rare, but it does happen.
Just make sure to copy the existing firmware first before loading any new one, and you will at least have a backup for just in case.
Oh, and one more thing. Some manufacturers allow for the disabling of the boot logo. Do that. Even if you update, disable it anyways. It's not really necessary to have in the first place beyond aesthetics, and disabling it makes it so the parser can't run the code in that image file.
"Gigabyte at least is able to detect when the wrong firmware has been used" do you know how they do it ? is it just a chemsum verification or its actualy check for compatibility ?
@@cylian91Lenovo has bootguard, but you can turn that off by changing a single bit in the firmware.
Thank you Joe and UA-cam for recommending this I’ll jump on the pc now and check for an bios update 🇬🇧👍
Reminds me back of the CIH virus
Fun fact a friend of mine his family computer was one of the few the payload actually worked on.
@@JohnSmith-xq1pz wait you tried on your friend's famility computer ? lmao
@@cylian91 🤣🤣🤣 Well actually, it was something he download that let CIH in, they only figured that out after the replacement computers anti virus cought it
Thank you. I was unaware of this and will get our desktops and laptops flashed this week.
I honestly had this happen back in 1999 of course my parents computer... I bought a new award BIOS chip pop- in chip replacement (Imagine that now) pulled the CMOS bat. But years later, it was buried in the MBR drive I kept plugging in to it. I sure LEARNED from that butt whooping !
now these mobos hate their consumer and want to solder everything together to make sure they are screwed.
Socketed BIOS chips are not uncommon on higher-end "enthusiast" motherboards.
Thanks for the heads up. I updated my Gigabyte BIOS firmware to latest version, which does deal with this LogoFail issue.
Why does this guy not get more views, likes, subs & comments.
i love this guy's videos
I doubled my internet speed, with nothing other than 2 batteries, a cut Ethernet cable, and uncut cable, some electrical tape, and a human sacrifice, and all thanks to this guys' videos
@@GregoryShtevensh really?
@@Elytraz17 Sort his videos by old 😉
@@RT-. ok?.......
these are the things that keep me awake at night and why I decided to study cybersecurity.
Thanks for this - I have a Lenovo and it performed a firmware update this week.
which model do you have?
i have the 81we model and it doesn't show up for recent bios updates.
i got it in somewhere 2020
@@aname-kg3cb Ideapad 5 Creators Edition Pro 16ARH7
It looks like you are not going to go out of business any time soon Mr. Joe..... always fun to be had. Cheers.
Once malware gets onto the ESP or, worse, motherboard, your chances of removing it without repartitioning your disk, reinstalling your OS (or replacing it with a different OS), or, in the worst case, reflashing your UEFI ROM are gone.
i mean, you can usually just delete the .efi file within the ESP partition without having to repartition, but it being able to flash the EFI rom is scary, however its also very hardware specific, so a wide range attack is unlikely
if it’s esp just wipe gpt and 0fill esp if paranoid (not in that order)
What if your motherboard has dual uefi? Couldnt I just switch my uefi if one of them got compromised or does this infect both?
@null7639 0 fill is not necessary. ESP is required to be FAT32 by uefi specification, thus if the fat is lost, it can no longer find the EFI file, making it safe to just clear the fat
@tyroniebalonie Unlikely, most motherboards who have dual bios need to be flashed separately in case something goes horrible wrong. Some even allow you to hardware flash without needing a bios at all, which is great.
Thanks! I wasn't aware of this and just updated my systems
One way to at least know if you got hit with that attack is to change your boot image to something custom yourself, other that the stock motherboard logo. Then if you get the virus it will probably change the image back to the stock one so you will easily noticed that something happened.
That sounds like good SOP
Malware isn't going to announce itself by displaying a different logo
I thought an out of bound will be possile: The Image parsing Process is hit by the special crafted image data which lead to a one time writing to a neighbbour memory area. so if you change the logo, it does not matter, because malware code was written the first time when the logo failed.
@@Yadlina Good point. But it may be a lot of additional work depending on the nature of the exploit. So replacing a logo (and then disabling it) is still a reasonable precaution.
The question is what do you do if you see a manufacturer's logo again? Was it reset by a legitimate update fixing another potential exploit or malware? And if it's the latter then you may have quite a problem of deleting it. Once he exploit runs you cannot rely on anything in the computer being real - not the firmware settings - not changing the logo back - possibly not even emergency settings reset because the image is in non-resettable NAND together with the firmware code itself.
But: finding out that something changed is not the same as preventing the problem. How do you recover your system once the bios has been hacked?
In the late ‘90s there was NYB, wiping the drive wasn’t enough for that. It was a memory-resident boot sector virus.
1:40 So what you're saying is; basically ASUS Armoury Crate
Goofy ahh software
yes, its even higher then riot's vengard (witch is technically a eufi driver, yes they run it higher then windows's kernel level but they also have an interface that is in the kernel)
Or even msi's version. Both are unsettling to deal with until you find that setting.
They've brought it back. Back in the late 80's to early 90's there was one that wiped your bios. The reason it worked was a jumper setting on the motherboard. You had the option of allowing the bios to be programmed or locked and as a default came as programmable. Gigabyte came out with a dual bios to cope with that one being programmable and the other permanently fixed with a jumper that allowed you to overwrite the programmable bios with the original. Also back then the chip that held the bios was capable of being removed and reprogrammed. Guess that's all gone now and with laptop's they never had that protection except in bios and guess the default setting. This is the reason mobile phones have a ROM and separate user space for updates and your files, apps etc
There are no more Bios updates for my computer as it is too old.
Thank you for your videos and your insight!
Yes, it is extremely frustrating that manufacturers aren't going to fix this on many computers, including some that aren't all that old.
Someone suggested to turn off display LOGO in BIOS settings.
@@Darkk6969I think I also saw someone else mention it would still work despite that being disabled since the code for the logo still resides in the uefi or soemthing like tht
Thanks. I’ll be looking for bios updates.
Thanks, brother. Very informative as always.
May the gods bless your wee cotton socks, sir. Managed to get a BIOS update for these shenanigans which I was oblivious to. Thanks, boss! 🙏
Given that my hardware is well past any manufacturer’s support date (my desktop is 4th gen Core), I don’t exactly have much choice but to run the UEFI as is.
This is why it's a must to have an Arsenal today...
You need extra computers, laptops and mobile devices and a backup hard drive..
Guess laptops are screwed then. My laptop is not even that old but the latest bios is from September 2023
That's... fairly recent, though?
Attack1(EFI partition logo) shouldn't matter because that can be removed by wiping your disk (like any other virus). Attack3(SPI flasher) is actually very relevant for second-hand hardware because the seller or a previous owner could have done that to the board.
Exactly. Rather than risk anything, entire server boards are thrown away.
Although I updated my BIOS only a couple of months back, I immediately went to check if there was a new BIOS even before finishing your video and there was, so I updated immediately. It is always a nerve wracking experience updating the BIOS as you never know if at that particular point in time is when some idiot is going to crash their car into the power pole and take out the power, or an unscheduled power shutdown will occur. At least now with Dual BIOS if that does happen I can at least get back up and running, but in the years before dual bios was a thing I hated doing bios updates.
Yep, there is always that fear...."c'mon BIOS, hurry up and finish!" You could plug into a UPS, but how many of us have working ones lying around?
Most of my older systems have bootblock recovery. If the main BIOS image is bad it has just enough functionality built in to load a replacement from floppy. On newer boards without floppy support a USB drive can be used.
Yeah. I'll definitely be looking deeper into this. Thanks.
One note: if somehow, power is lost during a BIOS/UEFI firmware flash, depending on the hardware, it's possible to have a firmware backup restore what was lost, but not all hardware configs support this, but my older DELL, which I no longer have (stolen!), supported this, and I know for a fact, that my current PC, also a DELL, supports this. However, if it does not, there usually is a way to reset the firmware, but it requires a lot of technical knowledge and probably two, three grand worth of specialized equipment most people won't have, because there's no way to do it with just a connected keyboard anymore, not since Windows XP, anyway.
As for this weird exploit, why is it even a thing?
It doesn't cost anywhere near two thousand dollars for the equipment to reset a BIOS chip. You just need a programmer and a way to connect it to the chip. I've done it twice myself. First time was with a $35 Raspberry Pi and the second time was with a $9 FTDI adapter. Worst case you need to fully remove the BIOS chip from the board but I did this with a standard soldering iron.
Thanks for the information. Slightly frightened, I checked version of my actual "BIOS" and It includes a fix for this exploit.
I generally update the firmware and software of all devices, precisely because it addresses not only bug fixes, but also various exploits.
Very important video about cybersecurity.
Don't get a friend who is "good with computers," get a friend who IS good with computers.
🤣
Reminds me of that one time, my cousin had to ask someone else. When I visited him, all his programs were reverted to shit versions. Even Winamp was reverted to 1.x - I installed Winamp 3.x prior this "I know what I do" dude. Took me 4 hours to get his PC back to work properly.
When I asked why that dude reinstalled Winamp, my cousin said, that guy said "thats not Winamp, Winamp XP doesn't exist". This guy literally didn't know what a Winamp Skin is.
some pcs and laptops, mainly lenovo ones, when reinstalling/reformatting ask you if you want to reset your bios, pretty useful
My computer is literally immune to that, its physically immune. I just severed the write trace going to the EPROM where the NVRAM is stored, its impossible for software to do that. I didn't do it for security but because I burned my secondary NVRAM and had to make a hack to keep the motherboard working.
Thats clever, physical acces is like god mode if you know what you're doing
The boot logo is typically on disk, so why would your system be immune?
@@shanent5793It can't screw with the bios even if the boot logo is modified, so wiping the disk will actually fix it
@@daanwindt1633 if it were immune then you wouldn't have to do anything, so why wipe the disk?
@@shanent5793 Because the code could do more than just write to the bios flash. That's what I would do at least, but I'm not a security expert
Don't forget that there is also potential to hide malware in other devices, such as routers or printers...
I think you’re the first person I saw on UA-cam to call the UEFI actually UEFI and not BIOS. Or to say that it is actually caller UEFI and not BIOS.
uefi is still a BIOS
@@ChrisWijtmansit is not
@@stayfunsteven2207 UEFI (Unified Extensible Firmware Interface) is not the same as the traditional BIOS (Basic Input/Output System), although it serves a similar purpose as the software interface between the operating system and the firmware of a computer. UEFI is a modern replacement for BIOS, offering several advantages such as faster boot times, support for larger hard drives, a user-friendly graphical interface, and advanced security features like Secure Boot. While BIOS operates in 16-bit mode, UEFI can run in 32-bit or 64-bit mode, allowing for a more robust and feature-rich environment before the operating system loads.
nonsense
Done all of my devices last night. Thanks👌
Had a bunch of Lenovo's and Dell's have FW updates in the last couple of weeks, Wonder if its for this
Good job. You had me captivated the whole video and i'm so ADD i barely make it 2 minutes. BIOS is always the included in my mind when I look for updates on my computers, not just OS or Installed Apps. Thanks!
There haven't been any instances of this attack type yet, and that's why it's important to post a video about it on a popular channel. Request heard.
It’s a double edge sword since the hackers who didn’t know are now aware of this.
@@Natzawa no, I think that's the only edge it's got. It's just telling people about an unexploited vulnerability. It doesn't count as a warning since there is no danger.
Because in any case it requires privilege escalation... anyway in most all scenarios it would be pointless to brick a computer you just spent time getting access to.
Back in the day, we (a bunch of defense programmers with new computers having a certain feature) found a way of getting around the BIOS protection of the boot sector. It was obscure, but not difficult, and, as one can imagine, the bad guys also soon caught on.
I fully admit that I was one of those people who never thought that computer viruses would ever be the problem that they became.
This is interesting, are only laptop/pcs are effected or could it effect any other embedded devices too?
Despite being born into electronics, I was too much of a pussy to attempt a BIOS update by myself. Even though I've never bricked any of my devices and even though I've installed custom firmware on all of my consoles (which is basically the same thing as a BIOS update), I was always scared of fucking it up or something going wrong, like a power cut occuring at the most inopportune time. But after this video, I finally worked up the courage to do it. The update process itself took considerably longer than it did on some UA-cam videos, plus I had a mini-stroke when the TV kept losing and finding the signal for half a minute, but all's well that ends well. My computer is safe and I learned something new.
Thanks, TJ!
I need to pluck up courage later if there is one available otherwise keep doing offline backups until I get a replacement which I don't need right now.
New fear unlocked ☠️
why? do you not think windows is more useful to hackers than bios?
this won't even be used, just like spectre/meltdown....
Agreed 💀💀
Thanks for the info. Best to have your PC plugged into a UPS when updating the BIOS.
An i correct in assuming that the standard "don't get a virus" advice - don't download sketchy files, don't open sketchy emails, virus scan everything you download, etc. - are still useful for preventing the virus from getting into a computer in the first place? Or is it possible to fall victim to this stuff without any user interaction?
yes, this in itself would require user interaction. however in case there's a new exploit found that runs code without the user's interaction, you could still be infected with this.
Unless a new zero-day is found which just gives anyone who opens a web browser a virus; I'd say, its still good advice
Yes, but zero-day exploits are extremely common (notice how often your browser and OS needs security updates for example)
@@futuza, True, but by then a lot of damage has already been done (if it's discovered by sum hacker)
Well we must do that at least till we get a proper firmware patch, until then: stay vigilant, keep running your third party anti-virus software in the background with all the active modules enabled, don't visit sketchy webpages, keep your web browser updated and obviously, only download your firmwares from the official manufacturer and so on.
Thanks for this, just updated mine.
00:02 Find his wife's dirty videos on the internet.
Lmaooo 😂😂😂
Bruh
Using secure folder/controlled access on windows is very important, even if you install weird nonsense it will prevent anything you didn't whitelist from writing to those critical places.
Thanks for telling me how to make an un-destroyable operating system. Thanks ThioJoe 😂
Can't we get rid of a BIOS/firmware virus by reflashing/updating the BIOS?
An infected system won't let you do that. It would need to be rewritten by an external programmer
if you really have a bios infection, forget the system. you cannot trust any of your hardware devices at that time. even if you can sucessfully reflash the bios to normal, the nic or gpu bios could be infected too. if you are confronted with such problems, chances are there are serious psychopats chasing on you. (or a 3 letter agency is interested in you, but in this case you most likely wont detect the infection)
@@Yadlina LOL. Next you'll be claiming such a virus can jump the air gap and infect your system from the speakers of an adjacent PC. Kids these days...
@@raylopez99what are you dreamin about? assume you have a firmware level infection and think about the implications of that fact. this is not an ordinary malware infection and is well crafted to one individual system. just only you cannot comprehend the implications should not leading you to such a bold (and ludicrous) statement
@@Yadlina You don't understand either sarcasm nor the actual virus that can jump an airgap (Google this). Study more son and when you're at my level (I code for fun, C# is my language) let's continue the conversation.
Good info Joe, thanks! I have never updated my BIOS. Every time I've ever looked into it the methods/instructions/guidelines are so convoluted and broken I could not understand wtf they were talking about, so it was never worth my risking trying to unravel the spaghetti-sentences to do it. So, I will probably not do it now either, as I can't see how things have become easier to understand. Computer info doesn't seem to go in that direction.
"It's a hack that replace image on a startup with a malicious code"
Wait you can change startup image? i wonder what should i change my image to?
(later in a video)
MSI users are safe because startup image cannot be changed in these motherboards
darn... well at least I'm safe
Many thanks for these informations. It would be useful to have a group of users in order to FORCE computer manufacturers to address this.
dont comment “first”
Firs.
First
oneth
first
tsrif
Outstanding video. TJ! Thank you!!
I have a MSI motherboard so hopefully I'm safe
me too, and I have Windows installed in Legacy mode
@@pankoza you are safe in legacy mode but why do you run in legacy mode ?
@@cylian91 Bro probably forgot to enable UEFI boot.
the PC originally had Windows 7 and I didn't feel like enabling UEFI mode@@cylian91
msi got hacked ... so no we are screwed.
Uh, yeah I'm definitly gonna check if I need a BIOS update
I am beginning to think there are only two real problems in our world today: 1. Windows, and 2. Microsoft's attempts to prevent their own cancerous products from being cured.
So manny things out there that can put our computers at risk that everyday is more and more difficult feeling secure.
Whenever I think I have a virus I wipe the hard drive, flash the bios and reinstall windows. I don't mess around with it too much. When you computer starts acting up too much like not booting into the proper device or efi errors or cmos errors just do what i do and you will be clean. Pay atention to what you install on your machine. Do your homework before you install.
If I'm on the latest bios, can I overwrite this virus with the same bios version or an older bios version and all is good? Thx
I've been doing lots of windows bootloader research in the last few years, which naturally overlaps with UEFI. I've found some interesting post-exploitation tricks that a bootkit could perform. At one point I successfully performed a proof of concept attack where changing some settings (programatically) causes all boot attempts to fail. The bootkit payload itself could work around this and allow boot to succeed, but booting from any known good (uncompromised) boot media would be impossible unless you know what was done and how to revert it.
Or you just change the boot addressing
I think non-uefi devices are also safe
It also accessing system level privileges at first glance, but next routine is where it turns tedious, as it comes upto the BIOS and just showing up a circle rotating
Just wipe the BIOS.
You do that you might as well buy a whole new computer or motherboard afterwards just saying.
@@RoyCyberPunkHardly..have you never updated a system's BIOS from a thumb drive?
@@pbox8728
The only way that a board could do this is if it has a separate ROM that has such a set of instructions.
@@pbox8728 wtf. Every laptop can be flashed. I've never seen one that can't. Lol. This has nothing to do with flashback
@@RoyCyberPunk drivel.
Updating my bios asap
Is this reality?
Yes
No WAKE UP
WAKE UP
WAKE UP
WAKE UP
Thanks, luckily the Bios update for me was 2 updates ago.👍
Not first
lol
False
Back when I was having a lot of trouble with hacking, a favorite tactic seemed to be corrupting my BIOS firmware to prevent booting from USB in order to prevent use of rescue disks
Use a known good security suite (Norton, Bitdefender, etc.). These routinely check and guard the UEFI portion of the hard drive, in addition to monitoring actions of code running in your computer.
Use a bios password, and not "password!" Mine won't allow any updates without it.
Only update your bios with a flash file downloaded directly from your hardware manufacturer or the bios manufacturer.
Never download or run software from the Internet unless it's from known good sources.
This just gives me a reason to update my bios on my lga 1200 system. They surprisingly released a version to fix this issue almost 3 years after the motherboard was released
Old motherboards DID indeed have a write protect jumper. One jumper to clear CMOS, and another for Write Protect. This should be re-implemented.
I was using a technique like this for years to modify new bios updates for the PS4- a lot of the games I played like Surviving Mars, Autonauts, etc are direct PC ports. So the games still have the mouse & keyboard support, it was just that the system didn't. I did this so I could pre-load mouse & keyboard drivers to give the PS4 the software equivalent of legacy hardware support. Sadly, even with that, some games like Rimworld wouldn't recognize that a mouse was connected, even though it did see the keyboard.
It's ALWAYS worth updating your PC's bios. Usually there are other changes that allow better leveraging of your PC's resources, improved RAM, CPU, or Integrated GPU clock speeds- etc, in addition to the more important security benefits. It should also be noted that many Laptop motherboard vendors stop supplying new bios updates just a few years after release- where as most desktop motherboard vendors continue for 5+ years.
In theory yes, unfortunately that would probably fail because it should normally check to see if the version # & or Build # is the same, & if so it will probably just tell you that it's already that version. It's worth a shot though, because if it won't accept it it should just cancel the operation before it actually starts to flash the chip.@@fjdi8whduw93d