NSA hacked Dell PowerEdge server BIOS

The latest NSA leak describes DEITYBOUNCE, a tool for flashing malicious BIOS on Dell servers. The doc is from 2007 and such attacks would be much harder now.
Written by Larry Seltzer, Contributor

Latest to leak from the NSA files of Edward Snowden is a description of DEITYBOUNCE, which the document says "provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads." The image of the document is embedded below.

The attack, as described, is performed manually with a USB key, apparently utilizing Autorun bugs made infamous by Stuxnet. Once implanted in the system BIOS the tool will drop the payload in the host OS at boot time.

The document is dated January 2007 (same as the iPhone hack document), and the attacks described in it are certainly much more difficult, if at all possible today. The specific attacks clearly won't work, as they are targeted at "Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7."

Even if the NSA went to the trouble of updating the attacks for minor changes in operating systems and firmware, current technologies have the ability to thwart this form of attack. UEFI (Unified Extensible Firmware Interface), along with Secure Boot apply a PKI-based authentication system for code running on the computer. Unless they had access to the keys, the NSA shouldn't be able to flash malicious BIOS on a system so-equipped. Dell and Microsoft have supported UEFI and secure boot for many years. System certification for Windows 8 actually requires UEFI and secure boot to be enabled by default using a Microsoft private key.

Hat tip to security legend Bruce Schneier.



Editorial standards