New BIOS security standards aimed at fighting rootkit attacks

NIST sets new security guidelines for updating firmware

There's a growing threat of attacks on computer basic input/output system (BIOS) firmware, and to deter it, the National Institute of Standards and Technology (NIST) is putting in place new security guidelines for updating the BIOS. And in doing this, NIST is getting high-tech manufacturing to raise the bar on security.

"Last September, the first BIOS-based rootkit in the wild was discovered, called Mebromi," notes Andrew Regenscheid, math researcher and project leader in NIST's computer security division. While criminals creating malware have spent far more time over the years targeting Windows applications and operating systems (OS), the potential for wreaking serious havoc by subverting the BIOS, which typically works to do jobs such as load the OS, is of growing concern.

IN THE NEWS: New NIST encryption guidelines may force fed agencies to replace old websites

So through new security guidelines that will influence what computers the federal government buys in the future, NIST is setting standards that require authentication of BIOS update mechanisms.

Just this week NIST put out for public comment its proposed federal standard, "BIOS Protection Guidelines for Servers," with comment sought through mid-September. The intent is to stop any cyberattack related to "unauthorized modification of BIOS firmware by malicious software."

The NIST document basically says government buyers of servers in the future -- whether these are basic servers, managed servers or blade servers -- will be checking to see if gear they are thinking of getting has any way to "authenticate BIOS update mechanism," "secure local update mechanisms," and if there's "firmware integrity protection" and "non-bypassability features."

Encryption-based digital signatures and public-key certificates, among other techniques, are viewed as means of creating these security controls, but NIST isn't dictating specific processes, according to Regenscheid.

He says the concern is that manufacturers haven't uniformly applied strong security controls over BIOS in the past. This may be because BIOS updates tend to occur far less often than other kinds of computer software updates. But with the malware threat growing, it's time to focus on the BIOS, Regenscheid points out.

NIST already issued BIOS security standards for desktops and laptops in April 2011, and the Department of Homeland Security has told federal agencies to use them as a basis for purchasing laptops and desktops, starting this October. The U.S. Department of Defense has issued similar instructions, says Regenscheid. Manufacturers are aware of NIST's direction in all this and are responding. "Microsoft Windows 8 has BIOS protection for the desktop," he points out.

Security for server BIOS may be more complicated and call for support from OEM manufacturers such as Dell, HP and Lenovo. "We're proposing a tightly controlled update process," says Regenscheid. Proposed standards from NIST typically are approved and take effect within six months.

At that point, the "BIOS Protection Guidelines for Servers" will be a federal standard that is likely to also impact what the government acquires, just as the client BIOS security standard did. One question: Since the federal government is increasingly involved in buying cloud-based services, should cloud providers be asked to support secure BIOS? Regenscheid says that's something that surely will be brought up in discussions by people in government who write procurement requirements.

Another question is whether NIST will address this BIOS issue in regard to newer mobile devices, such as tablets from Apple or Google manufacturers, that the federal government is increasingly interested in using. Regenscheid acknowledges NIST is taking a hard look at this, as well as planning several new security standards related to mobile that will be unveiled in the course of the next year.

But NIST isn't tackling these issues by directly changing Android code, for example. Instead, NIST is quietly communicating the federal government's ideas directly to the high-tech manufacturers in the mobile world. "We're reaching out to Google and Apple and Microsoft and talking to them about features we'd like to see," says Regenscheid.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?