Vulnerabilities discovered in the BIOS make that pretty much all computers are currently vulnerable to malware that can monitor anything that happens on the infected system. Security researchers have demonstrated a proof-of-concept during a security conference. The demonstrated malware should be able to infect up to 80% of all computers.
Because the malware is active on the level of the BIOS, the malware is operating system agnostic. The researchers demonstrated a proof-of-concept for both Windows 10 as Tails, a Linux based operating system, advertised as very secure, which deletes all traces when it's shut down. Using the demonstrated method, the researchers could intercept the a PGP key from Tails.
The proof-of-concept works because, according to the researchers, it abuses a security mistake in Intel's X-86 and Intel-64 architecture. In those architectures the System Management Mode (SMM) always has read and write access to all memory locations, even if the operating system uses it. Malware can secretly abuse SMM to read the contents of the memory of the affected computer.
The proof-of-concept is called LightEater and uses Intel Serial Over Lan to infect the BIOS.
System Management Mode executes special software like firmware and debuggers with elevated administrator privileges for applications like power management, system administration etc. Information leaked by whistleblower Snowed already revealed that the NSA abused SSM on a similar way as the researchers demonstrated.
Computers can be infected using malicious email attachments when the system supports UEFI to update the BIOS. If that isn't possible then physical access to the machine is required, e.g. to insert an infected USB stick. According to the researchers it takes less than 2 minutes to infect a system with the LightEather malware.
The researchers have contacted all computer manufacturers, but due to the huge amount of vulnerabilities in the BIOS of the manufacturers not all of them have replied. Dell has promised to patch the reported vulnerabilities and also Lenovo has replied it aims to fix the issues. Other manufacturers that ship computers with a vulnerable BIOS are Asus, HP and LG.
