Hardware backdoors are lethal for three reasons:
- They can’t be removed by conventional means (antivirus, formatting);
- They can circumvent other types of security (passwords, encrypted filesystems); and
- They can be injected at manufacturing time.
At the Black Hat security conference last week, assembly master and long-time security consultant Jonathan Brossard demonstrated a proof-of-concept hardware backdoor. Called Rakshasa (which are unrighteous spirits in Hindu and Buddhist mythoi), this backdoor is persistent, very hard to detect, portable, and because it’s built using open-source tools (Coreboot, SeaBIOS, and iPXE) it could be used by governments and still grant them plausible deniability.
To infect a computer with Rakshasa, Coreboot is used to re-flash the BIOS with a SeaBIOS and iPXE bootkit. This bootkit is benign, and because it’s crafted out of legitimate, open-source tools, it’s very hard for anti-malware software to flag it as malicious.
At boot time, the bootkit fetches malware over the web using an untraceable wireless link if possible (via a hacker parked outside), or HTTPS over the local network. Rakshasa’s malware payload then proceeds to disable the NX (no-execute) bit, remove anti-SMM protections, and disable ASLR (address space layout randomization).