On Tuesday, researchers at the security firm Eclypsium published the results of an experiment in which they showed that they could, for a certain class of cloud computing servers, pull off an insidious trick: They can rent a server from a cloud computing providerthey focused on IBM in their testingand alter its firmware, hiding changes to its code that live on even after they stop renting it and another customer rents the same machine. And while they made only benign changes to the IBM servers' firmware in their demonstration, they warn that the same technique could be used to plant malware in servers' hidden code that persists undetected even after someone else takes over the machine, allowing the hacker to spy on the server, alter its data, or destroy it at will.
"When organizations use public cloud infrastructure, theyre essentially borrowing equipment, like buying it used off of Ebay, and it can be pre-infected before they start using it," says Yuriy Bulygin, Eclypsium's founder and a former head of Intel's advanced threat research team. "In a similar way, that equipment can be infected if the cloud service provider hasn't sanitized all its equipment at the deepest level, including the firmware."
That cloud sanitization problem, Eclypsium's researchers were clear to point out, doesn't effect all cloud servers.
The good news, Nohl argues, is that the bare metal servers are only a small minority of cloud setups, and virtualized servers would be far harder to attack with the firmware trick.
Original article