How to prevent hackers injecting code into the bios?

How could you prevent someone from infecting your chips on the mother board like the bios? Is there a way to make doing something like that impossible? Possibly modification of the mother board? I'm currently developing a system that prevents hackers 100% from modifying my computer in any way.

There has to be a way to prevent write access to the bios and other chips on the system. I never flash my bios or any chips anyways so it doesn't matter. On this system there would be no need to anyways.

 

https://www.wilderssecurity.com/showthread.php?t=356755

Have you seen this thread? Some interesting links too. Looking forward to any answers you get.

 

Nothing in those threads comes close to what I'm talking about. I already plan to destroy the on-board microphone, camera, and even the sound card if possible. On-board wifi will be removed or destroyed.

The question is how to prevent the hacker from accessing the bios. How it works and what to do to prevent any writing to it.

The BIG question is what can they even do if they did get code into the bios. The bios only runs once so what ever they do will be in the ram. Couldn't you just kill the process?

I guess there just really isn't anything you can do. Just limit what they can do /get and try to prevent it in the first place.

 

The only thing I can think of is hardware changes. Install some switches that will sever the connection from the board to the chips. Since BIOS and other chips only have to run once at start up all you have to do is kill the connection once there pc is up and running.

They could try to get in but there would be no physical way. It shouldn't be a problem because the pc has no use for the chips once it is booted up.

 

What you're talking about basically cannot be done IMO. Chances are that if a computer can compute, it can be subverted in some way.

(IIRC theories of computability have something to say on this.)

 

If you think about severing the connection between a mobo and the BIOS chip after booting and have such skills, you'll probably already know about mobo jumpers.
Like above, I'm doubting your course/needs allow for a functional computing device.

 

What about if password protect or lock the BIOS access?

 

I use a BIOS PW and have from the day dot. The only way I can see circumvention is for system to be compromised where it will be exploited to flash the BIOS or some crazy airgap exploit.

 

same here I have password protected mine too.

 

It would be better, I think, to use more-or-less disposable machines for work that involves such risks, and ensure that they're fully isolated (network and storage) from your other machines.

If the BIOS is installed in a socket, you could replace it when appropriate. However, other motherboard firmware might be at risk, and at some point you might as well replace the entire board. Perhaps you could buy a lot of discontinued motherboards and CPUs at low prices.

 

Great and thanks for the comments. The hackers now have far more advanced programs than you probably can comprehend at this time. Myself included.

Password on the bios wouldn't help against these guys.

Disposable systems are an excellent idea. However... I would be far more interested in a system that completely thwarts all attempts to corrupt the board, hd, disks, ect.

Only possibility I have actually considered is finding out what wire or line on the board is used to input data into the chips. Sever it. Use no hard drive or a read only drive (truly read only).

If you think about it there really is no reason to write to the chips once your PC is set up the way you want it.

-------------------------

What this will accomplish is more privacy and lack of satisfaction for the hacker since he can leave no bombs or tracking programs.