"Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization – either a permanent denial of service or a persistent malware presence," says the draft.
Commenting on the NIST announcement, Dennis Fisher says in the Kaspersky Lab ThreatPost, “The idea behind BIOS attacks is to get malicious code onto the lowest level of the machine's instruction set as possible so that it will evade detection. Some of the attack methods that researchers have unveiled in recent years have shown that malware can persist on a machine even after reboots and fresh operating system installation.”
He goes on to outline NIST’s primary BIOS security guidelines: authenticated update mechanisms, staff presence during updates, firmware integrity checking, and non-bypassability features. NIST itself adds, “The security guidelines in this publication do not attempt to prevent installation of unauthentic BIOSs through the supply chain, by physical replacement of the BIOS chip, or through secure local update
procedures.” The guidelines are focused on protecting what you’ve got, not protecting what you think you bought.
They don’t, for example, deal with the type of threat illustrated by Rakshasha. Rakshasa is a proof of concept developed and delivered at the recent Black Hat and Defcon conferences by Jonathan Brossard, CEO of French security firm Toucan System. It demonstrates that with access to the supply chain ‘hackers’ can inject undetectable and almost irremovable malware into the BIOS. Rakshasa, through the BIOS, would have complete control over the PC.
NIST is asking for comments on its draft via email by 14 September 2012. The draft publication is available online.