Preventing BIOS rootkit on Ubuntu Linux

Question

Other than standard security "best practices" like having a good firewall, strong admin password, ensuring the latest security patches, and upping router security, is there anything more specific that can help prevent (specifically) a BIOS rootkit via Ubuntu?

[Highly relevant](https://i.warosu.org/data/g/img/0458/76/1420069446681.png). — Boris the Spider, Jan 14 '17 at 21:43

score 6 · Accepted Answer · edited Jan 14 '17 at 23:56

Be careful with installing software from unknown sources.

You might get more security ideas by looking at this project :

https://en.wikipedia.org/wiki/Qubes_OS

That project is developed by security experts.
The idea is to isolate work, home, play etc.

You can use this isolation idea yourself already by using Virtualbox, KVM, Qemu client guest install for "play", therefore having some isolation from your real important things.

Do you have rkhunter installed? It is a rootkit detection program. You can install it and run

sudo dpkg-reconfigure rkhunter

to adjust the settings to your taste. You can also install the chkrootkit package, but chkrootkit might give you more false alarms (Depending on which other programs you will install, or have running. Which is okay if can find out what is causing the false alarm).

http://packages.ubuntu.com/search?keywords=rkhunter

https://en.wikipedia.org/wiki/Rkhunter

Furthermore you can also install Lynis to perform a security check on your computer.

https://en.wikipedia.org/wiki/Lynis

score 4 · Answer 2 · answered Jan 14 '17 at 21:17

4

Afaik there has been no observation of BIOS rootkit malware in the wild so far, only other rootkit types. So in that aspect your question sounds pretty hypothetical at this point but I'm going to indulge you anyway.

All the things you're listing as examples are general security advices against all types of malware.

If you're looking for defences specifically against malware in the BIOS then your best option is Secure Boot which helps to prevent the injection of unsigned boot loaders and kernel modules into the boot process. This assumes that the BIOS rootkit managed to place itself into the system firmware but not to disable or circumvent Secure Boot. This situation may happen if the malware comes in form of a UEFI module that doesn't modify the behaviour of the core UEFI firmware.

Other than that, don't run untrustworthy software in a trusted environment – especially not as super-user or in the kernel – and don't give untrustworthy people physical access to your machine, lest the trusted environment is tainted to become untrustworthy itself.

answered Jan 14 '17 at 21:17

David Foerster

35,754
55
92
145

Thanks david, I have limited access to my.bios on 2 pcs with linux on them. The limitation suggests changed to bios eg I cant turn off wifi or bluetooth. Bluetooth and wifi seems to be how the attacks start. There a possibiltiy that the rootkit was installed.before I converted from windows to li ux. Could it be another form.of rootkit that impacts bios settings? I want to make sure it doesnt happen to yet another pc. – user637251 Jan 16 '17 at 12:50
It's almost certainly something else. As I said, to date there has been no reported sight of a BIOS rootkit in the wild though there are working proofs of concept in the lab. Unlike operating systems, BIOS implementations tend to differ far more which makes exploits against them difficult and uneconomical for criminals. So, unless you angered some government or drug cartel there's no reason to expect a BIOS infection on your system. – David Foerster Jan 16 '17 at 16:11
I'm very private, I spend most of my time studying & working. Most likely it's the large mining company I called out for bad behaviour when I worked for them on a security project (obviously, I was not the security expert there). This company practically runs the country I live in. They have unlimited resources at their disposal, no ethics. I used to think this stuff only happened in movies but if I recounted the events in my life for the last year, you would find it incredible. The police are working on it with me now, but I don't hold out much hope. Thanks for the advice. – user637251 Jan 21 '17 at 04:31
Even if "unlimited resources" were true that doesn't mean they have *this* kind of resources. If the mining company is closely entangled with the government they may have indirect access to government resources, however, the smaller and the more corrupt the government, the less likely it has access to bleeding edge surveillance technology like this. At this point nobody would use it on a simple dissenter because it would be a waste. – David Foerster Jan 21 '17 at 08:49
I completely agree about the wasted resources on me. I don't get it either. That was all I could come up with. I've had multiple attacks on multiple devices over a long time. Other than that, a motive eludes me.I definitely don't deal with government figures or drug cartels. I'm pretty much a nobody. – user637251 Jan 21 '17 at 09:54
The problem is almost certainly something else. There are many other types of attacks with similar symptoms that are *unrelated* to BIOS rootkits. Unless you provide logs and/or a detailed description of the attacks nobody will be able to help you. – David Foerster Jan 21 '17 at 09:59

Kaz Wolfe · Answer 3 · 2017-01-14T21:32:23.227

Nope, you've covered all the bases already.

Provided you understand and follow basic security protocols (as you've discussed in your post) and prevent unauthorized people from using your machine, there isn't much else you can do to prevent rootkits or similar.

The most common entry point on a well-maintained and sanely designed system would be through the use of zero-day or disclosed-but-not-yet-fixed exploits, but these are mostly unavoidable.

The one further piece of advice which may be of use is to avoid creating an unnecessary surface for attack. If you don't need something installed, get rid of it to prevent it from being used against you. Same goes for PPAs and similar. Plus, it helps clean up your machine and make it easier to administer.

Otherwise, install and use rkhunter and similar defensive strategies, and just keep doing what you're normally doing. Linux's permission isolation is inherently safe, so unless you're doing something to violate that (like running everything you can with sudo), arbitrarily running executables, using unknown/untrusted PPAs, you should be fine.

As for avoiding BIOS rootkits specifically, check if your BIOS has a "signature verification" mode or similar. Such a mode will prevent your BIOS from updating unless it detects a valid cryptographic signature, which is usually only present on legitimate updates from your manufacturer.

Rinzwind · Answer 4 · 2017-01-14T21:21:27.317

Yes, don't download and run that root kit. It is pretty easy to get a rootkit: download it, compile it if it is a source, run it and give it your admin password (...).

Ubuntu Software Center is free of rootkits, virusses and malware. Launchpad PPA's are not as safe as USC but it has a good track record. With some investigation about the PPA you add (ie. check askubuntu, ubuntuforums and the likes for reviews from other users).

Don't randomly download software. Don't use Windows. Don't use WINE.

And in my opinion Rootkit detectors are a waste of resources. Even IF they ever detect a rootkit you will have to wade through so many false positives it makes it useless. Feel free to think differently but I have yet to see anyone actually finding a rootkit. Let alone one that targets the BIOS from Linux. The topics on the web related to linux and rootkits where it ends up being false positives far far far outway the topics where there is an actual rootkit. Waste of resources. Seriously.

If you do believe a rootkit detector is a good thing you should install TWO of them and compare the results. If one claims there is a rootkit and the other does not you can assume it is a false positive. And even if both claim there is a rootkit it is more than likely to be a false positive.

score 2 · Answer 5 · answered Jan 23 '17 at 20:48

If you use wired ethernet on an intel vPro cpu (Intel Core i3, i5, i7 and others) you may not be aware of the "Intel Management Engine" - a separate cpu and processing environment connected to the hardware ethernet port.

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

This subsystem is able to:

"Remotely redirect the system's I/O via console redirection through serial over LAN (SOL). This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes."
"Access and change BIOS settings remotely. This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings."

This seems to give physical-ethernet essentially physical-access to the device. If you are concerned, perhaps leave the device unplugged from ethernet.

While I can see some of the usefulness of all this in a corporate environment there could be some problems with a subsystem like this... Google "intel management engine vulnerability" and you'll find many links.

Thanks for letting me know this. I had no idea. Yes, both of the laptops in question fall in these categories: both i5. Bios totally unaccessible on both now. I'll definitely leave the laptops offline. — user637251, Jan 26 '17 at 12:01

Preventing BIOS rootkit on Ubuntu Linux

5 Answers5