This weekend, CBS ran a story about how the NSA foiled a sinister plot to brick millions of PCs and cause a financial meltdown. At least they didn’t say MELTDOWN.
My opinion is that this is a puff piece. A source managed to scare a journalist with a threat that sounded credible enough, and make something routine sound big and threatening.
Let’s start with the threat. Attacking the BIOS is a concept that dates back to the late 1990s, when field-upgradable BIOSes became common. Write random data to that chip, and the PC forgets how to boot. Whether it’s fixable depends on a few different things, but in the worst-case scenario, a technician swaps the motherboard with a close-enough match. Locating the close-enough match is the hardest and most time-consuming part of the repair. Once the board arrives, swapping it in takes minutes.
If a shop can’t locate a suitable board to swap in, then you have to replace the PC. Recovering the data is trivial though; just put the hard drive in the new system and copy the data over.
How one goes about foiling a plot to release a virus is another question. Perhaps a double agent sabotoged the code, or perhaps they infiltrated the group, got a copy of the code, and tipped it off to antivirus vendors. It doesn’t really matter; that’s the NSA’s job and what matters is that they did their job.
In other news, the mail carrier delivered my mail yesterday, and the day before too. Stop the presses.
But I also question the actual damage behind this plot. Bricking a pile of BIOSes would be an inconvenience for a lot of people, but what would they do? They would take their computers in to a repair shop. The computer would be repaired or replaced. A lot of struggling retailers would get a boom in new business. Intel, AMD and Microsoft would get a nice bump in profits. Apple might too, as some of the victims might switch to Apple kit. And a lot of vulnerable computers running outdated software would get replaced with newer, more secure systems.
It would be painful, but there could be some long-term benefits, much like the analog to digital conversion of television a few years ago, which caused a boom in HDTV sales. And in the end, national security would increase.
And that’s assuming the attack was successful. The mechanism to get at the BIOS in order to change it varies. Dealing with all of those variables isn’t necessarily impossible, but it’s difficult, even with AMI’s source code leak. CIH was successful because the chipset it targeted, the Intel 430TX, was extremely common at the time. Nothing today is as dominant as the 430TX was in 1998, and people keep their PCs much longer now than they did then.
CIH bricked about 60 million computers and caused $1 billion in damage. Replicating that success is likely to be difficult, and it would take more than that to ruin the U.S. economy, if that was the goal.
It’s a puff piece. It reinforces the slight majority of U.S. citizens who approve of the NSA spying on its own citizens because terrorism. Perhaps it sways a few people on the fence. Few, if any, of the people who object will be swayed by something like this, because they object due to deeper political beliefs, or due to deeper issues like the implications of the NSA intentionally weakening cryptographic algorithms. Those same people would also point out that foiling a virus plot is a completely separate issue from a government spying on its own citizens, since the nameless nation-state in the story would have done its R&D on its own networks.