Ask HN: Too theoretical for hackers to flash your firmware excluding boot ROM?
Most computer components have firmware otherwise they wouldn't do anything. This means that firmware exists in more than just the boot rom. This topic excludes the boot rom because I know it's not too theoretical for a hacker to flash the boot rom. It's clearly explained step by step how to do external boot rom flash on many different websites such as Coreboot. But this topic is not about the boot rom, it's about the other firmwares on a laptop such as cam, mic, keyboard, bluetooth, embedded controller.
Is it too theoretical how a hacker would do that? As in would it require some very rare 0-day vulnerability which might not exist currently? Or are there known ways how a hacker would be able to flash malware into these components such as the embedded controller or cam?
The reason I ask is because I've heard from people in cyber security saying two arguments: yes it's possible, no it's too theoretical or "way too unlikely". So which is it? No one has actually tried explaining their answer or linking to any source. Answers are always vague.
I think it's important to have these answer because when it comes to firmware security, it makes a huge different if all you need to do is to flash the boot rom to ensure your firmware is uncompromised. That would make security 1000 times easier. But if it's not enough then you would maybe have to Unfortunately throw away the computer if you think there's compromised firmware because you won't be able to get rid of it.
Don't forget to explain your answer. Please give link to source and further reading about this. Intel/AMD/Apple have put a decent amount of work into protecting boot and EC firmware but all the other stuff is probably totally insecure. Any code running in kernel mode could flash a lot of different firmware. Note that built-in devices probably have their firmware bundled into the main boot firmware so they may be protected. Just because something is possible doesn't mean it's likely that an attacker would burn a 0-day against you though. AMD have just had a big FAIL there: https://news.ycombinator.com/item?id=42395618 https://arstechnica.com/information-technology/2024/12/new-b... I asked about 0-day because I dont think anyone would use that on me. So if I know that it can only be done with a 0-day then I would practically be secure. The first paragraph you made doesn't sound so convincing though with mostly "probably" and no source or explanation other than intel has put a lot of effort into protecting the boot rom and EC. If you or someone could elaborate further that would be great. It's not theoretical at all. You can flash firmware updates from userspace on pretty much any modern x86 machine but in practice, UEFI bootkits are almost good. If you want a case study, BlackLotus is a good starting point. https://www.eset.com/au/about/newsroom/press-releases1/eset-... good answer, I will read more about uefi bootkits and blacklotus. It also reminds me that recently bootkitty uefi bootkit was in news. i saw a video about it a couple days ago. Is it just from userspace you flash these firmware (other than boot rom)? Or can you flash externally as well if you have physical access? This also means that just like you avoid a lot of malware by going to linux instead of windows which is what all hackers build their malware for, you can probably also avoid a lot of these firmware bootkits by flashing coreboot instead of having UEFI. Both userspace or externally, including the boot ROM, from Windows or Linux. You could flash coreboot and run your own secure boot chain etc on one machine, but this is absolutely not something you can do at organisational scale. That said, only individuals worried about foreign intelligence services need to incorporate this into their threat model. How would it be done externally? Is it done same way as flashing the boot rom? You just need to know where the chip is for the other components? No 0-days needed? Or do you need a 0-day to do this? Is that why you think only foreign intelligence agencies are the ones who can do this?
Also assume that the bios is password protected and it's configured in bios to not boot from a USB drive. > How would it be done externally? Is it done same way as flashing the boot rom? Depends on the device. > Is that why you think only foreign intelligence agencies are the ones who can do this? Because it's enough work that nobody else would bother. > Also assume that the bios is password protected and it's configured in bios to not boot from a USB drive. BIOS password is an administrative control. It doesn't stop anyone with the ability to flash firmware from doing anything. These are the type of vague answers i said i didn't want because they are not helpful. How do i know if you really know what you are talking about? No explanations or links to sources. "depends on the device" is almost not an answer at all. BIOS password does help if they need to be able to boot from usb drive to flash firmware. Or do you know another way? Again, not talking about boot rom. > "depends on the device" is almost not an answer at all. If you ask extremely general questions, you're going to get extremely general answers. This is a discussion board, not a personal research service. You need to go and figure this out for the specific hardware you are concerned about. > BIOS password does help if they need to be able to boot from usb drive to flash firmware. That's the only circumstance in which it helps, but that's rarely necessary on modern machines. But my questions aren't extremely general, i even asked very specifically if you are supposed to attach an external programmer to the component like keyboard or cam etc but you can't even answer that. You can't even give one example. Are you saying there is nothing at all in common with different device models like camera model b and camera model c? You don't physically manipulate with them in any way? Don't attach anything or what? Or do you shine a light on one model and breath on another? When you can't even make one example that makes it hard to believe you. You are just constantly deflecting and refusing to explain. It just seems like you are spreading FUD when you say it can be done but wont explain how. I'm not even asking for full step by step instruction, just a simple overview of what kind of process it is in general. > keyboard or cam etc but you can't even answer that They are not all built the same. It depends on the SPECIFIC device. The recent BadRAM attack against AMD's Secure Encrypted Virtualisation works by changing something in the memory DIMM's SPD (Serial Presence Detect) EEPROM firmware causing out to report twice as much RAM as the DIMM really has. Chaining this up with a bunch of other neat tricks they gain access to protected memory that the CPU is _supposed_ to prevent. I don't think there's a public working exploits (yet?), but it can "likely" in some cases (depending on the DIMMS you have installed) be done without hardware access, purely through software: "In some cases, with certain DIMM models that don't adequately lock down the chip, the modification can likely be done through software." https://arstechnica.com/information-technology/2024/12/new-b... So yeah, it's possible for a hacker to flash malware onto your DIMMs... (Whether that's a thing you need to care about is a good question. This isn't something a driveway script kiddie is gonna do after he p0wns your WordPress site with vulnerable plugins. But if you're running a dark web drug market on commercially hosted cloud servers and a powerful enough Three Letter Agency becomes intersted in you...)