Live CD is secure agaist BIOS malwares ?

[JKyleOKC]

so i think the answer is i have to buy a computer without HDD and BIOS battery (old fashion) ?

Good luck getting such a system to run at all. The BIOS is necessary in order to boot the system, and without a battery you won't be able to configure it at all. Once the system boots, Linux no longer makes any use of the BIOS -- and the bootstrap code within the BIOS chip on the motherboard is totally incapable of accessing any network or downloading anything.

As others have told you, installing a BIOS trojan requires physical access to the machine. And if outsiders have such access, no security is possible.

In addition, if your security requirements are actually as strict as you indicate, the machine should never be connected to a network at all. The only completely secure system is one which is incapable of any input or output, and located in a sealed enclosure with no means of physical access. Of course, such a system is also completely useless...

[Hungry Man]

You can overwrite the BIOS remotely, they don't need physical access.

They just need admin access.

Instead of removing the BIOS battery, which will just break ****, buy one of those dual BIOS motherboards. If one gets infected you just switch to the other and boot into a recovery disk.

[JKyleOKC]

You can overwrite the BIOS remotely, they don't need physical access.

Please describe just how it will be possible to do anything remotely to a system that has no network access for remote control. The network access comes into play from a much later stage of the boot process than the bootstrap code.

If, and only if, the BIOS is set up to allow "remote boot" operation could something of this sort be accomplished. That would require special BIOS code in the first place.

It's possible that such a "trojan BIOS" could be created, and even installed -- but only if the intruder had physical access to the machine and adequate time to replace major chunks of its hardware. Placing a wiretap on the network line, or a sniffer in one of the ISP locations along the route, would be much more practical.

Stuxnet was targeted to a specific group of machines, and relied on a bit of physical intrusion to get it started. It's not at all comparable to the problem of breaking into a single company's bank accounts. Subversion of a bank employee is a much more likely scenario.

[Cheesemill]

Please describe just how it will be possible to do anything remotely to a system that has no network access for remote control. The network access comes into play from a much later stage of the boot process than the bootstrap code.

If, and only if, the BIOS is set up to allow "remote boot" operation could something of this sort be accomplished. That would require special BIOS code in the first place.

It's possible that such a "trojan BIOS" could be created, and even installed -- but only if the intruder had physical access to the machine and adequate time to replace major chunks of its hardware. Placing a wiretap on the network line, or a sniffer in one of the ISP locations along the route, would be much more practical.

Stuxnet was targeted to a specific group of machines, and relied on a bit of physical intrusion to get it started. It's not at all comparable to the problem of breaking into a single company's bank accounts. Subversion of a bank employee is a much more likely scenario.

On modern machines you can alter BIOS settings and even flash the BIOS completely from a running OS if you have root access. So by compromising a machine you could then flash it with a 'trojan' BIOS which would take effect the next time the machine was booted.
As you mention though, except in very specific known configurations and required outcomes it would be far easier to take the normal attack route of finding vulnerabilities in the OS or installed software rather than going down the BIOS route.

[Hungry Man]

Like Cheesemill states once you have Admin you can flash a new BIOS. This can be done while the system is booted and it's probably the most common way for users to update their home machine's BIOS.

So they don't actually need any physical access.

It's still insanely unlikely as they'd have to spend an inordinate amount of work with their being a huge risk of it failing entirely.

[sa3er3]

A few things...
1) To write to the BIOS you need administrative rights meaning that the attacker either needs to compromise a root service or find some escalation privilege.

2) BIOS infections are really difficult to pull off. The attacker needs to know which hardware you're running, then they need to develop and test the payload on that hardware. They also need to know which version of the BIOS you're already running because even between versions it may or may not work.

getting root access is just like blinking ... rootkits are out there for ages ...
and getting hardware info of Bios version is just so easier than blinking ....

On modern machines you can alter BIOS settings and even flash the BIOS completely from a running OS if you have root access. So by compromising a machine you could then flash it with a 'trojan' BIOS which would take effect the next time the machine was booted.
As you mention though, except in very specific known configurations and required outcomes it would be far easier to take the normal attack route of finding vulnerabilities in the OS or installed software rather than going down the BIOS route.

the problem is todays people for important jobs use Live ubuntu CD because windows (or even installed ubuntu) is almost impossible to stay clean so bad guys are focusing on Bios because with it we are not even safe at all in Live CD any more ...

[zombifier25]

Speaking from a security noob's point of view, most malware writers nowadays still targets Windows, because it's easier and more profitable for them. There is no proof (at least, not yet) that they are moving to hijacking the BIOS. It is possible, yes, but I don't see anyone would have the time and resources to develop a very complicated rootkit that only works with certain BIOS (or even certain versions of it) while a Windows malware is relatively easy to pull of and can be very widespread.

[Hungry Man]

Getting root isn't that easy. Or at least you don't have to let it be. Apparmor vulnerable services/ programs and keep your system patched.

They could get onto your machine, get root, and then see which BIOS you use, and then develop and incredibly complex and risky payload over days/weeks depending on if they already have the hardware, and then if you somehow haven't realized you've been infected for weeks they could try the payload on you.

Of course, they already have root, so they have very little reason to do so.

Bad guys are not focusing on the BIOS. There have been less than a handful of widespread BIOS infections ever.

I would suggest you either forget about the BIOS as you have way bigger things to worry about OR you purchase a dual-BIOS motherboard on the insanely tiny chance that an attacker somehow infects your BIOS.

[sa3er3]

Speaking from a security noob's point of view, most malware writers nowadays still targets Windows, because it's easier and more profitable for them. There is no proof (at least, not yet) that they are moving to hijacking the BIOS. It is possible, yes, but I don't see anyone would have the time and resources to develop a very complicated rootkit that only works with certain BIOS (or even certain versions of it) while a Windows malware is relatively easy to pull of and can be very widespread.

if all the people switch to use Live CD for banking instead of windows then they will move to hijacking the BIOS .. because that is what we wanna tell to all our companies to use Live CD for serious jobs
as all users have windows no linux so its not complicated rootkit. they easily can get root. then there is no too much Bios in the market. they just make a few one and will hit a big percent of people ...

so please think again

Getting root isn't that easy. Or at least you don't have to let it be. Apparmor vulnerable services/ programs and keep your system patched.

They could get onto your machine, get root, and then see which BIOS you use, and then develop and incredibly complex and risky payload over days/weeks depending on if they already have the hardware, and then if you somehow haven't realized you've been infected for weeks they could try the payload on you.

Of course, they already have root, so they have very little reason to do so.

Bad guys are not focusing on the BIOS. There have been less than a handful of widespread BIOS infections ever.

I would suggest you either forget about the BIOS as you have way bigger things to worry about OR you purchase a dual-BIOS motherboard on the insanely tiny chance that an attacker somehow infects your BIOS.

in windows people have no Apparmor ...
and keeping system patched make no sense against real hackers

from your seen maybe it be complex and risky payload over days/weeks but as they make millions$ from it so they will do it very well ..

as we grow using Live CD they focusing on the Bios mate. as its the only safe way so it will happen soon

(by the way dual-BIOS motherboard is a joke ? user will never know he infected or not .. antivirus don't scan bios ...)

[zombifier25]

if all the people switch to use Live CD for banking instead of windows then they will move to hijacking the BIOS .. because that is what we wanna tell to all our companies to use Live CD for serious jobs
as all users have windows no linux so its not complicated rootkit. they easily can get root. then there is no too much Bios in the market. they just make a few one and will hit a big percent of people ...

so please think again

in windows people have no Apparmor ...
and keeping system patched make no sense against real hackers

from your seen maybe it be complex and risky payload over days/weeks but as they make millions$ from it so they will do it very well ..

as we grow using Live CD they focusing on the Bios mate. as its the only safe way so it will happen soon

(by the way dual-BIOS motherboard is a joke ? user will never know he infected or not .. antivirus don't scan bios ...)

Yes, IF everyone switch to use Live CD for banking. But, good luck convincing millions of Windows users to magically drop Windows, download a Linux LiveCD and start doing everything from there. Still, when that happens, developing a malware for Linux itself is still far easier than writing a complicated BIOS code. Crackers want short-term profit, not long-term investment. (but writing BIOS codes aren't exactly long term either, because new updates will just obsolete the malware out)

Like what others have said, you shouldn't worry about the moon falling down the Earth, but instead start worrying about real security threats that can potentially compromise your system. Start configuring firewalls, encryption and stuffs, and leave the BIOS problem for later.