PC hardware can pose rootkit threat

By Joris Evers on 01 March 2007

PC hardware components can provide a way for hackers to sneak malicious code onto a computer, a security researcher warned Wednesday.

Every component in a PC, such as graphics cards, DVD drives and batteries, has some memory space for the software that runs it, called firmware. Miscreants could use this space to hide malicious code that would load the next time the PC boots, John Heasman, research director at NGS Software, said in a presentation at this week's Black Hat DC event here.

"This is an important area and people should be concerned about this," Heasman said. "Software security is getting better, yet we run increasingly complicated hardware. Unless we address hardware security, we're leaving an interesting avenue for attack."

Malicious code delivered via the memory on hardware components poses a rootkit threat since it will run on the PC before the operating system loads, Heasman said. This likely will hide it from security software and other protection mechanisms, he added. Such low-level malicious code is known as a rootkit.

Moreover, because the malicious code is stored on the hardware component and not a PC's hard disk, reinstalling the operating system or otherwise wiping the disk won't remove the threat.

In his research, Heasman focused on graphics cards inserted in the PCI, PCI Express or AGP slots on a PC motherboard. He found that it is possible to load a few kilobytes of additional code onto the memory of such cards. An attacker could do this by tricking the user into opening a malicious file, for example, he said.

"The PCI bus was developed by Intel in the 1990s. And as we all know, security wasn't in high respects at that time," Heasman said. "On a well-run network, administrators know which machines are on their network, but do they know what PCI devices are on their network? In most cases I'd imagine that the answer is no."

The concept Heasman presented is not new. Other security researchers have highlighted the risk before. And the industry has responded through the Trusted Computing Group and the Trusted Platform Module, which performs additional checks. However, the Trusted Platform Module isn't on every PC and its capabilities aren't always used, Heasman noted.

For increased protection, Heasman recommends scanning the memory on PC expansion cards and other hardware components and analysing what the code stored there does.

E-mail this
Print this
Share this...
- del.icio.us
- digg this
- Reddit
- Slashdot
- StumbleUpon

Join CNET.com.au Free newsletters, post to forums and win prizes. Join now - it's free and easy!

Related links

Hackers pounce on Howard 'heart attack e-mail'

Details of around 750 Australian banking customers may have been compromised after a trojan e-mail -- claiming the prime minister has suffered a heart attack -- was unleashed.
Phishing overtakes viruses and Trojans

Phishing attacks have outnumbered e-mails infected with viruses and Trojan horse programs for the first time, according to security experts.
Experts: Don't buy Vista for the security

Windows Vista is a leap forward in terms of security, but few people who know the operating system say the advances are enough to justify an upgrade.
Sony settles with FTC in rootkit case

Sony BMG Music Entertainment announced on Tuesday that it has reached a proposed settlement with the US Federal Trade Commission over the controversial embedding of antipiracy software its CDs without users' knowledge.
Glossary of Internet security terms

We've created a glossary of the most common terms relating to Internet security to help CNET.com.au users navigate the dangers from A to Z.
Windows Vista's half-cocked firewall

The new Windows Firewall in Windows Vista allows outbound connections by default.