Editing BIOS (section)

== {{Anchor|MEBROMI|DualBIOS}}Security ==
{{More citations needed section|date=March 2019}}
[[File:Qfj32gelötet.jpg|thumb|332px|[[Gigabyte Technology|Gigabyte]] DualBIOS [[Plastic-leaded chip carrier|PLCC]]32]]
[[File:Bios chip-2011-04-11.jpg|thumb|A detached BIOS chip]]

[[EEPROM]] and [[flash memory]] chips are advantageous because they can be easily updated by the user; it is customary for hardware manufacturers to issue BIOS updates to upgrade their products, improve compatibility and remove [[software bug|bugs]]. However, this advantage had the risk that an improperly executed or aborted BIOS update could render the computer or device unusable. To avoid these situations, more recent BIOSes use a "boot block"; a portion of the BIOS which runs first and must be updated separately. This code verifies if the rest of the BIOS is intact (using [[hash function|hash]] [[checksum]]s or other methods) before transferring control to it. If the boot block detects any corruption in the main BIOS, it will typically warn the user that a recovery process must be initiated by booting from [[removable media]] (floppy, CD or USB flash drive) so the user can try flashing the BIOS again. Some [[motherboard]]s have a ''backup'' BIOS (sometimes referred to as DualBIOS boards) to recover from BIOS corruptions.

There are at least five known viruses that attack the BIOS. Two of which were for demonstration purposes. The first one found in the wild was ''Mebromi'', targeting Chinese users.

The first BIOS virus was BIOS Meningitis, which instead of erasing BIOS chips it infected them. BIOS Meningitis was relatively harmless, compared to a virus like [[CIH (computer virus)|CIH]].

The second BIOS virus was [[CIH (computer virus)|CIH]], also known as the "Chernobyl Virus", which was able to erase flash ROM BIOS content on compatible chipsets. CIH appeared in mid-1998 and became active in April 1999. Often, infected computers could no longer boot, and people had to remove the flash ROM IC from the motherboard and reprogram it. CIH targeted the then-widespread Intel i430TX motherboard chipset and took advantage of the fact that the [[Windows 9x]] operating systems, also widespread at the time, allowed direct hardware access to all programs.

Modern systems are not vulnerable to CIH because of a variety of chipsets being used which are incompatible with the Intel i430TX chipset, and also other flash ROM IC types. There is also extra protection from accidental BIOS rewrites in the form of boot blocks which are protected from accidental overwrite or dual and quad BIOS equipped systems which may, in the event of a crash, use a backup BIOS. Also, all modern operating systems such as [[FreeBSD]], [[Linux]], [[macOS]], [[Windows NT]]-based Windows OS like [[Windows 2000]], [[Windows XP]] and newer, do not allow [[Protection ring|user-mode]] programs to have direct hardware access using a [[Hardware Abstraction Layer|hardware abstraction layer]].<ref>{{Cite web |title=Definition of hardware abstraction layer |url=https://www.pcmag.com/encyclopedia/term/hardware-abstraction-layer |access-date=2022-07-11 |website=PCMAG |language=en}}</ref>

As a result, as of 2008, CIH has become essentially harmless, at worst causing annoyance by infecting executable files and triggering antivirus software. Other BIOS viruses remain possible, however;<ref name="Yam">[http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html New BIOS Virus Withstands HDD Wipes], 27 March 2009. Marcus Yam. Tom's Hardware US</ref> since most Windows home users without Windows Vista/7's UAC run all applications with administrative privileges, a modern CIH-like virus could in principle still gain access to hardware without first using an exploit.{{Citation needed|date=March 2019}}<!-- no longer relevant to modern operating systems. requires deletion?? --> The operating system [[OpenBSD]] prevents all users from having this access and the grsecurity patch for the Linux kernel also prevents this direct hardware access by default, the difference being an attacker requiring a much more difficult kernel level exploit or reboot of the machine.{{Citation needed|date=March 2019}}

The third BIOS virus was a technique presented by John Heasman, principal security consultant for UK-based Next-Generation Security Software. In 2006, at the Black Hat Security Conference, he showed how to elevate privileges and read physical memory, using malicious procedures that replaced normal [[Advanced Configuration and Power Interface|ACPI]] functions stored in flash memory.<ref>{{Cite web|url=https://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html|title=Black Hat 2006 Multimedia - Presentation, Audio and Video Archives|website=www.blackhat.com|access-date=2019-04-21}}</ref>

The fourth BIOS virus was a technique called "Persistent BIOS infection." It appeared in 2009 at the CanSecWest Security Conference in Vancouver, and at the SyScan Security Conference in Singapore. Researchers [[Anibal Sacco]]<ref name="AutoTU-1"/> and Alfredo Ortega, from Core Security Technologies, demonstrated how to insert malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at start-up, even before the operating system is booted. The proof-of-concept does not exploit a flaw in the BIOS implementation, but only involves the normal BIOS flashing procedures. Thus, it requires physical access to the machine, or for the user to be root. Despite these requirements, Ortega underlined the profound implications of his and Sacco's discovery: "We can patch a driver to drop a fully working [[rootkit]]. We even have a little code that can remove or disable antivirus."<ref name="Fisher"/>

Mebromi is a [[Trojan horse (computing)|trojan]] which targets computers with [[AwardBIOS]], [[Microsoft Windows]], and [[antivirus software]] from two Chinese companies: Rising Antivirus and Jiangmin KV Antivirus.<ref name="Giuliani"/><ref name="BMW"/><ref name="Yuan"/> Mebromi installs a rootkit which infects the [[Master boot record]].

In a December 2013 interview with ''[[60 Minutes]]'', Deborah Plunkett, Information Assurance Director for the US [[National Security Agency]] claimed the NSA had uncovered and thwarted a possible BIOS attack by a foreign nation state, targeting the US financial system.<ref name="cbs-news-60-minutes"/> The program cited anonymous sources alleging it was a Chinese plot.<ref name="cbs-news-60-minutes"/> However follow-up articles in ''[[The Guardian]],''<ref name="Ackerman"/> ''[[The Atlantic]],''<ref>{{cite web|first1=Conor|last1=Friedersdorf|access-date=2019-03-26|title=A Question for 60 Minutes: Why Would China Want to Destroy the Global Economy?|url=https://www.theatlantic.com/international/archive/2013/12/a-question-for-em-60-minutes-em-why-would-china-want-to-destroy-the-global-economy/282376/|date=16 December 2013|website=The Atlantic}}</ref> ''[[Wired (magazine)|Wired]]''<ref>{{cite news|first1=Kevin|last1=Poulsen|access-date=2019-03-26|title=60 Minutes Puff Piece Claims NSA Saved U.S. From Cyberterrorism|url=https://www.wired.com/2013/12/60-minutes/|newspaper=Wired|date=16 December 2013|issn=1059-1028|via=www.wired.com}}</ref> and ''[[The Register]]''<ref>{{cite web|first=Simon|last=Sharwood|date=16 December 2013|access-date=2019-03-26|title=NSA alleges 'BIOS plot to destroy PCs'|url=https://www.theregister.co.uk/2013/12/16/nsa_alleges_bios_plot_to_destroy_pcs/|website=[[The Register]]}}</ref> refuted the NSA's claims.

Newer Intel platforms have [[Intel Boot Guard]] (IBG) technology enabled, this technology will check the BIOS digital signature at startup, and the IBG public key is fused into the [[Platform Controller Hub|PCH]]. End users can't disable this function.