Re: Modern hw-killing virus feasible

[Daniel Newby <dnewby () NOMADICS COM>]

Mike A. Harris wrote (Wed, 7 Mar 2001):
> A dead motherboard that has had it's BIOS wiped out by a virus,
> is a dead motherboard.  The cost of repairing this problem is
> significant enough to most people that it would basically mean
> purchasing a new motherboard.  In other words, the "problem"
> caused, has a pricetag associated with it.  While no physical
                                              ^^^^^^^^^^^^^^^^^
> damage is done, and the BIOS could certainly be replaced, the
  ^^^^^^^^^^^^^^
> cost factors basically equivilate that the hardware is destroyed
> for all practical purposes for 99% of the general case.

Nobody has mentioned this yet, but most nonvolatile memory devices
*are* permanently physically damaged by being reprogrammed.  The damage
to a particular memory cell is cumulative, and increases each time the
cell is reprogrammed.  The wear-out process shows up as a decrease in
margin (the voltage difference between a logical zero and one).  When
the margin gets small enough, the memory bit will occassionally read out
incorrectly.  As it is damaged more, errors will occur more often.  Some
devices can withstand only a few thousand programming cycles before they
exhibit errors; others can safely take millions of cycles.

For various reasons (fabrication process, chip design, and quantum
mechanics), wear out is often not symmetrical:  logical zeros will
always read out correctly, while logical ones begin to be falsely read.
Or vice versa, depending on the chip design.  Or maybe they both exhibit
wear-out but one starts before the other.  And some newer devices store
more than one bit in a memory cell -- who knows how they wear out.
Read-back errors are also dependent on the ambient electrical noise on
the board.  The upshot is that wear-out problems are often data- and
activity-dependent, and it might be possible for a device to pass the
checksumming process but fail when the CD-ROM drive spins up.

Here's how to use memory wear-out in an attack:
1.  Read chunk of BIOS and save it in RAM.
2.  Erase chunk of BIOS.
3.  Reprogram chunk of BIOS from saved copy.
4.  Read out chunk of BIOS and compare to saved copy.
5.  Repeat step 4 1000 times.
6.  If bit error rate is too low, goto step 2.  (I.e., keep wearing
    out BIOS until sufficiently flaky.)
7.  Return to regularly scheduled program.

Besides the BIOS, what else could be attacked this way?  Offhand, I can
think of Ethernet cards, which often store the MAC in EEPROM.  A
malicious program could wear out the least-significant byte of the MAC:
machines would occassionally jump DHCP leases or get MAC collisions
when rebooted.  Heterogenous thin clients might randomly boot from the
wrong firmware.  Multi-homed hosts might have trouble binding the proper
IP addresses to the proper NICs.

The potential for creeping low-intensity flakiness should be obvious.
Tracing this type of problem to its root cause is difficult and
expensive.  The tendency will be to think "Maybe it's just a bad batch
of Ethernet cards.  Maybe the machines in that building were just
damaged by a lightning strike."

    -- Daniel Newby (speaking for myself)