Last weekend, American TV viewers were captivated by a frankly ridiculous investigation into the behind-the-scenes goings-on at the NSA by the CBS 60 Minutes team.
There were many flaws in the program, but I want to focus on one aspect: the claim that the NSA discovered an enemy state had the intention and ability to destroy every PC, by attacking computer BIOS chips.
The relevant part of the report starts at approximately 3 min 30 seconds into the following video:
Here’s a transcript of the relevant section:
Reporter (V/O): One attack they did see coming was called the “BIOS plot”. It could have been catastrophic for the United States. While the NSA would not name the country behind it, cybersecurity experts briefed on the operation told us it was China. Debora Plunkett directs cyber defense for the NSA, and for the first time discusses the agency’s role in discovering the plot.
Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability, to destroy computers.
Reporter: To destroy computers?
Plunkett: To destroy computers. So the BIOS is a Basic Input Output System, its like the foundational component firmware of a computer. You start your computer up, the BIOS kicks in, it activates hardware, it activates the operating system. It turns on the computer.
Reporter (V/O): This is the BIOS system that starts most computers. The attack would have been disguised as a request for a software update for the computer. If the user agreed, the virus would have infected the computer.
Reporter: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do…
Plunkett: That’s right.
Reporter: … and basically turned it into a cinder block.
Plunkett: (nodding) A brick.
Reporter: And after that, there wouldn’t be much you could do with that computer?
Plunkett: That’s right. Think about the impact of that across the entire globe. It could literally take down the US economy.
Reporter: I don’t mean to be flip about this, but it has a kind of a little “Dr Evil” quality to it that “I’m going to develop a program that can destroy every computer in the world.” It sounds almost unbelievable.
Plunkett: Don’t be fooled. There are absolutely nation states who have the capability and the intentions to do just that.
Reporter: Based on what you learned here at NSA, would it have worked?
Plunkett: Errm. We believe it would have, yes.
Reporter: Is this anything that has been talked about publicly before?
Plunkett: No, not to this extent. This is the first time.
Reporter (V/O): The NSA, working with computer manufacturers, was able to close this vulnerability but they say there are other attacks occurring daily.
Here’s my take.
Are BIOS attacks by malware possible?
Yes. For instance, way back in 1998 the CIH (aka Chernobyl) virus was discovered, capable of overwriting the BIOS chip of some computers to make them unbootable. You can read my memories of the Chenobyl virus over on the Naked Security site.
If you were unlucky enough to have a computer which fell foul of the Chernobyl virus, your PC would have been useless. The only fix would have been to open it up and replace the chip.
So, the NSA’s description of the BIOS plot is plausible?
Woah. Hang on a minute. You see, the Chernobyl virus only attacked certain types of BIOS chip. Different computers use different types of chip, and may have different vulnerabilities that would allow them to be overwritten without proper authorisation.
Plunkett says “Think about the impact of that across the entire globe.” But how would the entire globe have been vulnerable? And how would the malware that delivered this devastating payload been distributed to so many computers successfully without being spotted? It doesn’t make sense.
How about the claim of “literally taking down the US economy”?
Why would China want to bring down the US economy? Think about it. If the Chinese destroyed the US economy that would be *catastrophic* for the Chinese economy. It doesn’t make sense.
So we shouldn’t believe this at all?
I’m not saying that. It is possible that the NSA stumbled across a plot to develop more BIOS-wiping malware. But I think it is much more likely that such a plot would have been targeted at particular specific computers (perhaps in sensitive locations), with the intention of bricking them, rather than the “destroy every computer in the world” scenario that CBS broadcast.
Let’s not forget, most state-sponsored internet attacks aren’t interested in destroying computers. They’re much more interested in secretly stealing information and surveillance. A bricked computer is one that instantly announces to its user that something is wrong, and prevents any more information from being exfiltrated from it.
Shouldn’t we at least be grateful that the NSA foiled the plot?
How exactly did they foil the plot? The report says that they worked with computer manufacturers to “close the vulnerability”. What did that entail?
Did every PC in America get a firmware update to their BIOS that we simply didn’t notice? Or was it, instead, that the Chinese plot was actually to introduce flaws and vulnerabilities into new BIOS chips used in future computers, and manufacturers were warned to keep their eyes open for meddling?
Of course, the truth makes for a much less sexy story than the nonsense broadcast by CBS.