Researchers have managed to prove that relatively effortless exploits targeting unpatched BIOS could spell doom for millions of users. At the recent CanSecWest conference in Vancouver, Canada two security researchers Corey Kallenberg and Xeno Kovah gave a presentation dubbed "How many million BIOSes would you like to infect?" during which they revealed that even a completely untrained person could hack millions of computers or render them unusable.
According to Kallenberg and Kovah, most of the UEFI BIOS code is reused by vendors, making vulnerabilities widespread. Additionally, the patches supplied by these vendors are almost never applied by end-users or system administrators due to which there is a lot of scope for an automated hacking attempt.
The researchers from LegbaCore further demonstrated a proof of concept exploit called "LightEater" on PCs featuring Gigabyte, Acer, MSI, HP, and Asus boards with their proprietary BIOS. LightEater could grab GPG keys from the vulnerable device to a USB stick with merely two minutes of physical access, which the researchers reiterated, could be done by a non-techie person as well.
BIOS security is becoming an important issue and individuals should be aware of the updates that are provided by device makers. Top manufacturers such as Lenovo, Dell and HP have started developing new methods to deliver patches but user awareness is still a concern. Kallenberg and Kovah will be providing their automated threat detection solution to manufacturers for preventing system management mode attacks.
Last year's NSA revelations have shown that government agencies could exploit such vulnerabilities in the BIOS and plant eavesdropping mechanism, but the duo hopes that toughened BIOSes will make it hard for governments to mess around with users' computers.