Believe it or not, we already have the technology to do this. It’s called a hardware backdoor, and it’s a lot like a software virus that grants backdoor access to your computer — but the code resides in the firmware of a computer chip. In short, firmware is software that is stored in non-volatile memory on a computer chip, and is used to initialize a piece of hardware’s functionality. In a PC, the BIOS is the most common example of firmware but in the case of wireless routers, a whole Linux operating system is stored in firmware.

At the Black Hat security conference last week, assembly master and long-time security consultant Jonathan Brossard demonstrated a proof-of-concept hardware backdoor. Called Rakshasa (which are unrighteous spirits in Hindu and Buddhist mythoi), this backdoor is persistent, very hard to detect, portable, and because it’s built using open-source tools (Coreboot, SeaBIOS, and iPXE) it could be used by governments and still grant them plausible deniability.


Hardware backdoors are lethal for three reasons: 
a) They can’t be removed by conventional means (antivirus, formatting);
b) They can circumvent other types of security (passwords, encrypted filesystems);
c) They can be injected at manufacturing time.

To infect a computer with Rakshasa, Coreboot is used to re-flash the BIOS with a SeaBIOS and iPXE bootkit. This bootkit is benign, and because it’s crafted out of legitimate, open-source tools, it’s very hard for anti-malware software to flag it as malicious. At boot time, the bootkit fetches malware over the web using an untraceable wireless link if possible (via a hacker parked outside), or HTTPS over the local network. Rakshasa’s malware payload then proceeds to disable the NX (no-execute) bit, remove anti-SMM protections, and disable ASLR (address space layout randomization).