Firmware could be new frontier in hiding malicious code

John Heasman, a principal security consultant for NGS Software Ltd. of the U.K., spends his time looking for new and better ways to hide rootkits. He told an audience Wednesday at the Black Hat Federal Briefings in Arlington, Va., that firmware in your computer could be a fertile field for this type of code.

“Operating system security, application security, software security in general is getting better,” Heasman said. But that software is running on increasingly complex hardware with multiple processing and storage devices built into it. “Unless we address hardware security, we’re leaving an interesting avenue of attack open.”

A rootkit is code installed and running on a computer that typically burrows deep enough into the operating system kernel that it is not easily detected. If installed surreptitiously, it can be used to hide malicious activity by a third party.

Heasman’s presentation was a follow-up to a presentation at last year’s conference on a proof-of-concept for hiding a rootkit in the Basic Input-Output System on a computer. This is code on the motherboard that runs when a computer is powered up. Because it runs beneath the operating system, a rootkit operating there could survive reboots, reinstallation of the operating system or even replacement of the hard drive.