Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Security

BIOS based rootkits coming soon....

There have been a couple stories out of the "Blackhat federal" conference in the last couple days. Brian Krebs at the Security Fix gives a good overview. One of the more troubling notes is the possib…

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

There have been a couple stories out of the "Blackhat federal" conference in the last couple days. Brian Krebs at the Security Fix gives a good overview. One of the more troubling notes is the possibility of creating a rootkit that can hide itself in a systems BIOS. Security Focus has some detail on this as well.


This kind of reminds me of the "old days" of computer viruses where you NEVER did a scan from within the operating system because boot sector viruses, or other infected startup files could hide themselves from a running virus scan. I guess the simplest way to put the problem is this.... ACPI is a function that most BIOS' these days support. It supports a higher level programming language and if the ACPI BIOS is left writable, then someone COULD hide a "bootstrap" for a rootkit in the BIOS.

This "bootstrap" would then be able to download and install other, larger components later to disc. What's disturbing about this is that the rootkit itself would survive a drive reformat, or even drive replacement. It would still lay in wait in the BIOS when running an alternative operating system or boot cd. It's unlikely (they say) that we might have an easily transmittable rootkit that does this, but would most likely be done as "an inside job" where someone with physical access to the machine is able to load this. It's not reassuring though. Admittedly "pysicall access" to the machine is usually game over in a security context, because really and truly if someone has physical access they can do whatever they please with the box.