Jump to content
LaptopVideo2Go Forums

Security considerations when using replacement VBIOS


muppet

Recommended Posts

It occurred to me, after reading "BIOS Disassembly Ninjitsu Uncovered", that the VBIOS used in such MXM upgrades as the Acer Aspire 5520 is just another PCI Expansion ROM - and therefore could be compromised (i.e. contain rootkits) just as easily as illustrated in the ninjitsu book. As these files aren't necessarily sourced from manufacturer's sites, there is no easy way to know if these have been compromised and they're not covered by a normal virus scan etc.

I guess the same risk has existed since the first person flashed their desktop card with another VBIOS - though safety in numbers isn't a mitigation. That such a book has been released containing essentially a how-to with step-by-step examples may make this a more relevant concern that a couple of years back. This should also be of wider concern - e.g. to desktop overclockers that may also use alternate VBIOS files in an attempt to wring out a couple more points on 3dmark.

In a perfect world tools such as NiBiTor would be able to hash the parts of the file that can't be changed (by NiBiTor) and there would be a public database of checksums for each vendor/revision string based on manufacturer's stock VBIOS files - sourced and maintained by a reputable party. As it stands, most existing VBIOS databases rely on the public at large to supply their VBIOS files -where it's unlikely that a user would bother uploading their VBIOS if it exists in the database (therefore missing an opportunity to root out potentially malicious VBIOS files).

[edit]I guess for peace of mind for the Aspire 5920's 8600M GT 512MB VBIOS users, there may be someone on this forum willing to provide an MD5 hash or the VBIOS's checksum of their stock 60.84.41.00.18 (or whatever) versioned VBIOS - assuming the person is active in this community, I'd personally have confidence in the anonymously provided files available online of the same version. Even though the checksum enclosed in the VBIOS looks to be 8bit in length, presumably it doesn't have the same entropy as a 128bit MD5 hash? Whatever - MD5 isn't so crash hot either.

I guess this would be a general mitigation - "known" people (the more the better) in a virtual community posting their hash or checksums confirming the authenticity of a necessarily anonymously posted VBIOS.

Edited by muppet
Link to comment
Share on other sites

Very good points.... BUT if you flash your own VBIOS with the one you actually made yourself, then there would be no problem. I personally have flashed my 7900GS to a 7900GTX bios, and there have been no problems with it.. You just hope people dont mess around with the BIOs to screw up your computer.. If so just ensure you gave a backup for your original. This is true for when you need to blind flash. Which is something else I had to do when I flashed a revision 0 to a revision 1 card, not knowing there was a rev 1 and rev 0 for the 7900gtx.

Link to comment
Share on other sites

I personally have flashed my 7900GS to a 7900GTX bios

I guess the thing is - where did you source the 7900GTX VBIOS? If you crafted it yourself from your original VBIOS on the graphics card, no problems. But if you sourced the base VBIOS from an online VBIOS database, there's no easy way to check if someone has introduced some code into the VBIOS file. As the type of code illustrated by the ninjitsu book relates to rootkits, you may never know that your system is doing anything out of the norm as your virus scanner etc would be unlikely to see it.

I guess if the payload wasn't too destructive, e.g. trapping your user/pass for SMTP sends and sending it off to a bulk spammer or the like, you might never correlate the ton of postmaster returns you sometimes get (when some **** uses your return address in a spam job) to somebody having compromised you.

I hope that it's an unlikely scenario - but I don't leave my normal PC "security" to faith yet in this instance I guess we're sort of stuck with it.

Additionally, for the MXM upgrade I refer to - the card won't work in the laptop without the externally sourced VBIOS - so going back to the original isn't really an option.

Edited by muppet
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...