NSA claims it thwarted BIOS malware plot that could have destroyed the US economy. Of course, it's nonsense

BIOS chipLast weekend, American TV viewers were captivated by a frankly ridiculous investigation into the behind-the-scenes goings-on at the NSA by the CBS 60 Minutes team.

There were many flaws in the program, but I want to focus on one aspect: the claim that the NSA discovered an enemy state had the intention and ability to destroy every PC, by attacking computer BIOS chips.

The relevant part of the report starts at approximately 3 min 30 seconds into the following video:

Here's a transcript of the relevant section:

Reporter (V/O): One attack they did see coming was called the "BIOS plot". It could have been catastrophic for the United States. While the NSA would not name the country behind it, cybersecurity experts briefed on the operation told us it was China. Debora Plunkett directs cyber defense for the NSA, and for the first time discusses the agency's role in discovering the plot.

Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability, to destroy computers.

Reporter: To destroy computers?

Plunkett: To destroy computers. So the BIOS is a Basic Input Output System, its like the foundational component firmware of a computer. You start your computer up, the BIOS kicks in, it activates hardware, it activates the operating system. It turns on the computer.

Reporter (V/O): This is the BIOS system that starts most computers. The attack would have been disguised as a request for a software update for the computer. If the user agreed, the virus would have infected the computer.

Reporter: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do...

Plunkett: That's right.

Reporter: ... and basically turned it into a cinder block.

Plunkett: (nodding) A brick.

Reporter: And after that, there wouldn't be much you could do with that computer?

Plunkett: That's right. Think about the impact of that across the entire globe. It could literally take down the US economy.

Reporter: I don't mean to be flip about this, but it has a kind of a little "Dr Evil" quality to it that "I'm going to develop a program that can destroy every computer in the world." It sounds almost unbelievable.

Plunkett: Don't be fooled. There are absolutely nation states who have the capability and the intentions to do just that.

Reporter: Based on what you learned here at NSA, would it have worked?

Plunkett: Errm. We believe it would have, yes.

Reporter: Is this anything that has been talked about publicly before?

Plunkett: No, not to this extent. This is the first time.

Reporter (V/O): The NSA, working with computer manufacturers, was able to close this vulnerability but they say there are other attacks occurring daily.

Here's my take.

Are BIOS attacks by malware possible?

Yes. For instance, way back in 1998 the CIH (aka Chernobyl) virus was discovered, capable of overwriting the BIOS chip of some computers to make them unbootable. You can read my memories of the Chenobyl virus over on the Naked Security site.

If you were unlucky enough to have a computer which fell foul of the Chernobyl virus, your PC would have been useless. The only fix would have been to open it up and replace the chip.

So, the NSA's description of the BIOS plot is plausible?

Woah. Hang on a minute. You see, the Chernobyl virus only attacked certain types of BIOS chip. Different computers use different types of chip, and may have different vulnerabilities that would allow them to be overwritten without proper authorisation.

Plunkett says "Think about the impact of that across the entire globe." But how would the entire globe have been vulnerable? And how would the malware that delivered this devastating payload been distributed to so many computers successfully without being spotted? It doesn't make sense.

How about the claim of "literally taking down the US economy"?

Why would China want to bring down the US economy? Think about it. If the Chinese destroyed the US economy that would be *catastrophic* for the Chinese economy. It doesn't make sense.

So we shouldn't believe this at all?

I'm not saying that. It is possible that the NSA stumbled across a plot to develop more BIOS-wiping malware. But I think it is much more likely that such a plot would have been targeted at particular specific computers (perhaps in sensitive locations), with the intention of bricking them, rather than the "destroy every computer in the world" scenario that CBS broadcast.

Let's not forget, most state-sponsored internet attacks aren't interested in destroying computers. They're much more interested in secretly stealing information and surveillance. A bricked computer is one that instantly announces to its user that something is wrong, and prevents any more information from being exfiltrated from it.

Shouldn't we at least be grateful that the NSA foiled the plot?

How exactly did they foil the plot? The report says that they worked with computer manufacturers to "close the vulnerability". What did that entail?

Did every PC in America get a firmware update to their BIOS that we simply didn't notice? Or was it, instead, that the Chinese plot was actually to introduce flaws and vulnerabilities into new BIOS chips used in future computers, and manufacturers were warned to keep their eyes open for meddling?

Of course, the truth makes for a much less sexy story than the nonsense broadcast by CBS.

Tags: , , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , , ,

5 Responses

  1. Stephen Cobb

    December 18, 2013 at 4:59 pm #

    Well put Graham — Of the many flaws in the CBS 60 Minutes fluff piece on the NSA, this BIOS plot was the most egregious. And it was a slap in the face for those of us who spend a lot of time trying to bring clarity to the many real and urgent digital threats that companies and consumers face.

    The press and public would pillory any antivirus company that said it had foiled a malware attack "'that could literally take down the US economy" without any proof that the attack actually existed. There are enough real and present malware dangers out there for people to worry about without intelligence agencies broadcasting self-serving claims of having saved the world from unsubstantiated rumors.

  2. Phil

    December 19, 2013 at 12:31 pm #

    While you're correct about the pointlessness of actually using an attack like this don't forget MAD. A BIOS wiping virus is a bit like a nuclear weapon – if you use it you're effectively destroying yourself so, at a national level, the threat from each side balances out. It could be that this is a cyber version of two power-block's 'yeah, we've got one too' willy-waving. Each side ultimately has to know what the other has to maintain the stasis. Look up 'Nash Equilibrium' for a game-theory type explanation.

    • Cody in reply to Phil.

      December 24, 2013 at 2:02 am #

      Well, except the parts where nuclear weapons with enough power/range could target the whole planet while, let's see, BIOS has been in the decline for some time. Besides, different architecture implies different instruction sets and you also have the problem that BIOS Is low level (e.g., assembler and plain old opcodes/instructions sets) and operating systems are higher level (which all means different "updates" – executable formats; ELF means nothing to Windows and PE means nothing to Linux [for one of many examples] needed unless of course you "instruct [pun intended] the user to do X, Y and Z"). Not only that, CIH and indeed Kriz was a long time ago and not only are there other protections (including preventing the OS from accessing hardware at that level as well as things that ASUS and other motherboard manufacturers include to restore a botched flash [which depending on what the attack does, could be useful]) there is also any user in the know to stop it. Aside from those _minor_ differences, yes, it is _exactly_ like a nuclear attack. Any way, unless it has a payload (like Kriz and CIH did) that attacks the BIOS on a certain date (April 26, Dec 25 if I recall correctly), preferably (for the attack to succeed, that is) some long time after it has been able to spread, you can consider it not a virus of any real concern (at least it won't be ITW for long if at all).

      And indeed, Stephen. Classic example: Michaelangelo. Though I would argue they get away with more than what some might like to believe, in the lying/sensationalism department. But that's expected too (part of human nature is believing in what seems so impossible, so unknown or magical and that implies the same when being lied to about any number of things, especially – important bit – the things you know you do not know much about). Just like the lies and misinformation (and indeed sensationalism) the NSA told 60 Minutes.

  3. Arnd

    January 2, 2014 at 2:57 am #

    Hi,

    in the light of the recent NSA disclosure from the CCC congress 2013 in Berlin, stating that the NSA has injected bios level backdoors to various hardware it could be possible a third party (Hackers, foreign intelligence services or criminals) is trying to exploit or even shut down NSA controled devices. Which would be a good thing for humanity.

    // Arnd

  4. Noone

    January 6, 2014 at 1:48 pm #

    It's a lie. They are covering TAO using a bios
    hack against items either in transit or via their own proxy
    network.

Leave a Reply