When The Motherboard Comes With a Virus

3:16 To terminate the UEFI services, the bootloader/kernel calls ExitBootServices, which is helpfully provided by the UEFI firmware itself - so the kernel cannot in fact shut down a malicious UEFI implementation, it can just ask it nicely to shut itself down

alexvitkov

If this UEFI malware is really sophisticated, I imagine it’s theoretically possible it could reinsert itself into the image when you update, or just fake the update. Now that would be neat / horrifying.

tasta

Man, Welcome back to the 90s... When we had viruses like Anti-CMOS-A that would infect your BIOS.

ajplays-gamesandmusic

Windows: _We're gonna improve security by throwing a ton of weird stuff into microchips!_

**Microchip security gets bypassed anyway.*

AshnSilvercorp

"never trust the maid" _shows image of astolfo in maid outfit_

lizzyfleckenstein

A couple months ago, I ordered an Asus board from Newegg and I didn't notice it wasn't shipped by Newegg until right after I bought it. It arrived in a white box. I emailed the seller to inform them that I ordered a new motherboard, but they sent me a used one that wasn't even the correct model (didn't have WiFi). The seller told me that it was okay because I could trust their quality and they made sure to test it and they would also send me cash in the mail. They also told me not to send it back as the item wasn't eligible for a refund and they would charge me $25 if I sent it back. After over a month of going back and forth with Newegg, I managed to get a refund. I wonder if they were sending me an infected board?

JaekSean

9:16

And this is why I'm glad you informed everyone about the Intel Management Engine and the AMD Platform Security Processor, Windows 11 requiring a TPM (and generally being Spyware already) as those two things alone have already reduced our trust in the hardware our computer has, and the software they (either the government or the tech companies) want us to use.

You are performing a wonderful public service by informing the public, thank you.

mattsparks

Dear Mental Outlaw,

The scariest thing about this - when you described how it must be a man-in-the-middle attack performed after the manufacturing and before the end user receives it,

The scary part is if any of the alphabet boys were suspicious of someone and wanted to get easy info on them, they could see that they're trying to order a motherboard or other computer part and legally intercept it before shipping in order to install infected firmware. This is a terrifying idea that renders online purchases insecure unlike in a store where the motherboards are already there.

It's not a stretch to imagine that some Asian country like the PRC created and/or installed this malware with or without ASUS's knowledge. (as you said this mainly occurred in Asia)

rainofpain

Thinking about it, computer distribution in general is in a very barbaric state. When you are buying a PC, you are literally buying a cat in a bag, no manufacturer seals, no holographic stamps from the factory. Security of the computer supply chain is very important, it needs to be treated like we do with alcohol or medicine - no tampering with from the factory conveyor belt, period. I live in Asia and I just recently bought ASUS motherboard that falls directly under the criteria. The problem is - reflasing is done by the motherboard itself, where is the guarantee that reflasing mechanism is also not compromised to reject/modify new flashes?

Deniil

PSA: In some brands of Notebooks you can NOT reset the BIOS password by removing a battery or with a jumper.
The password is stored in a exclusive partition of the UEFI nand/nor chip itself with is non volatile memory. Updating/flashing the BIOS true normal means will not remove the password either since the manufacture makes so that updating the firmware will only write over the UEFI partition leaving a partition made exclusively to keep the password alone.

The only way to remove the password is by using a EEPROM programmer and having a backup of the whole UEFI chip content that doesn't have a password (Some people know how to patch the rom to remove the password so you may not need the password free backup).

A brand that I'm aware that is like this is LENOVO.

In short be sure to not forget your Notebook BIOS password and remember to remove it before selling it.

vitor

0:22 I could hear the painful resistance in his voice from saying “when the malware is sus”.

SheaTDM

This potential type of problem was one reason for the Libreboot project and the use of the older IBM/Lenovo laptops as they represented one of the last environments with publicly available chipset descriptions etc. and the ability to have an open source bios. Of course as time passes these machines become less usable. We just don't know what we're buying nowadays.

Lupinicus

I wouldn’t be surprised a bit if we find out later there is already a back door in hardware from the manufacturer, and they’ll claim it’s for “National Security” and we’ll just say oh you silly geese that’s ok, lol.

rando_bacon

This is not what the original definition of the “Evil Maid Attack” was (as presented at DEFCON).
Instead it’s about any sort of reliable access a attacker or agent of an attacker has to the physical premises such as the groundskeeping or cleaning employees of a large company that has sensitive hardware.

MOST IMPORTANTLY the timeframe is completely different! The original concept is that the attack can be installed (especially for stuff like EMF Capturing or leaving malicious hardware) then removed at a later date, like a month later. This way the infiltration of the attack and exfiltration of stolen data/etc doesn’t have to go over the network at all!

Zed_Oud

Great video, really made me think. I recently bought a used router. When I hooked it up to my laptop (offline!) I found that it had an unofficial firmware, remote login was enabled and it had a DynDNS configured 😟 The passwords and SSIDs matched the ones on the sticker so Average Joe would have no idea that the person who sold him the router could have full access to his LAN. I suspect this was done maliciously but have no proof. It's crazy how many ways there are to compromise people's security if they don't know what to look for!

JamesWilson

"At that point, the mitigation's are pretty straight-forward." 💀

lanch

Someone call Japan and tell them we need a romantic comedy anime about a tsundere maid who keeps trying to hack the protag's computer.

innocentsmith

I'd watch a show about an 1337 haxxor disguised as Consuella.

JanghanHong

11:44 The last part is literally a TRAP.

kimmanapil

Oh boy, so many inaccuracies.
1. You're missing a few layers between ring 0 and UEFI. Namely system management mode is a particularly enticing place to keep your backdoor.
2. Extra chip on the MB is not really viable backdoor as there is no good way for it to boss the CPU around. You'd have to modify RAM content to inject code, but x86 uses several levels of indirection to access RAM and those tables are hardly ever flushed from cache because they're being used *all* the time, so you won't find them in RAM and without them, you're looking at a random scrambling of 4k blocks of memory with no idea what's where.
A better example would be a backdoor baked into the CPU's silicon itself. I'm not aware of any in Intel or AMD CPUs, but there have been multiple documented cases with smaller manufacturers.
3. Almost all anti-malware solutions use kernel mode hooks. But also kinda not. When Microsoft introduced PatchGuard (which you mention in the video), they took that ability away. They provided kernel mode scanning APIs for anti-malware products to use instead, but they are limiting and introduce a single point of failure which _has_ been exploited. Now, AV companies _could_ disable PatchGuard, but we choose not to, because fighting a behemoth like Microsoft head-on is not fun.
4. What you're describing is a supply chain attack, not an evil maid attack. Perplexingly, you later describe an evil maid attack correctly, but don't realize it's completely different from what you talked about before.
5. I haven't seen a laptop with a CMOS battery or a clear CMOS jumper in probably two decades. Laptops use flash for storing BIOS/UEFI settings and have no direct way to reset them precisely because by their very nature they are more susceptible to physical tampering. To reset settings on a laptop, you have to hook up a flasher and erase the chip that way.

hellterminator