Security researcher Jonathan Brossard created a proof-of-concept hardware backdoor called Rakshasa that replaces a computer’s BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.
In short, firmware is software that is stored in non-volatile memory on a computer chip, and is used to initialise a piece of hardware’s functionality. In a PC, the BIOS is the most common example of firmware but in the case of wireless routers, a whole Linux operating system is stored in firmware.
Hardware backdoors are lethal for three reasons:
- They can’t be removed by conventional means (antivirus, formatting).
- They can circumvent other types of security (passwords, encrypted file systems).
- They can be injected during manufacturing.
Rakshasa, named after a demon from the Hindu mythology, is not the first malware to target the BIOS the low-level motherboard firmware that initializes other hardware components. Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.
Rakshasa can be installed by anyone with physical access to your hardware either at manufacturing time, or in the office with a USB stick. Fortunately, Brossard hasn’t released the code for Rakshasa but he seems fairly confident that other security groups/agencies have already developed similar tools.
Brossard built Rakshasa by combining several legitimate open-source software packages for altering firmware. Due to the efforts of programmers that have contributed to those projects, Rakshasa works on 230 different models of motherboard, says Brossard.
The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge.