[…]Device-local verified boot bypass (persistence methods): CUJO uses Das U-Boot’s “Verified Boot,” an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO’s eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system’s bootloaders. We identified two vulnerabilities that bypass these protections. We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images’ signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot. As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details. TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system’s integrity.[…]
[…]It comes with a lot of new features and fixes, such as better C++ support, compatibility with the most recent LLVM versions (including LLVM 8), integration of CVC4 and Yices 2, better path merging functionality, improved support for vector instructions, a new categorized help menu and more![…]
Hardwear.io has been based in Europe (Netherlands) since it’s start in 2015. But this year, it will not only be in Netherlands, but ALSO in Berlin and Santa Clara! The CfP is open for Santa Clara and Netherlands.
PS: Hardwear organizers:
Please consider submitting your events to https://www.cfptime.org/
Facebook has a new blog post with information about their internal firmware usage:
Many interesting presentations at this event!
Side-Channel assessment of Open Source Hardware Wallets
Side-Channel Attack on Mobile Firmware Encryption
LEIA: the Lab Embedded ISO7816 Analyzer A Custom Smartcard Reader for the ChipWhisperer
iDRACKAR, integrated Dell Remote Access Controller’s Kind Approach to the RAM
WEN ETA JB? A 2 million dollars problem
Everybody be cool, this is a robbery!
IDArling, la première plateforme de rencontre entre reversers
Journey to a RTE-free X.509 parser
DLL shell game and other misdirections
Mirage : un framework offensif pour l’audit du Bluetooth Low Energy
GUSTAVE : Fuzz It Like It’s App
Dissection de l’hyperviseur VMware
Watermarking électromagnétique de drones
Résultats et solution du challenge
Russian Style (Lack of) Randomness
Le quantique, c’est fantastique !
Ethereum: chasse aux contrats intelligents vulnérables
Analyse de sécurité d’un portefeuille matériel sur smartphone
V2G Injector: Whispering to cars and charging units through the Power-Line
Analyse de firmwares de points d’accès, rétro-ingénierie et élévation de privilèges
SourceFu, utilisation de l’interprétation partielle pour la “deobfuscation” de sources
A Joint Message from the IPMI Promoters (Dell, Hewlett Packard Enterprise, NEC, Intel Corporation):
No further updates to the IPMI specification are planned or should be expected. The IPMI promoters encourage equipment vendors and IT managers to consider a more modern systems management interface which can provide better security, scalability and features for existing datacenters and be supported on the requisite platforms and devices. DMTF’s Redfish standard (from dmtf.org/redfish) is an example of one such interface.
Note: the above statement applies only to the IPMI Specification, and should have no impact on existing IPMI implementations.
The video is uploaded to Youtube.
Suggestion for UEFI Forum: It would be nice if the you added a link to the uploaded video on their Past Events page, so there would be more value in having a “Past Events” page…
I am not sure, but I believe the Apple tech support article on Secure Boot was recently updated.
One of the useful features of Apache (or indeed any competent web server) is the ability to use client side certificates. All this means is that a certificate from each end of the TLS transaction is verified: the browser verifies the website certificate, but the website requires the client also to present one and verifies it. Using client certificates, when linked to your own client certificate CA gives web transactions the strength of two factor authentication if you do it on the login page. I use this feature quite a lot for all the admin features my own website does.[…]
TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.
Slides from the RISC-V Workshop Taiwan on coreboot status:
The leakage of sensitive information is a fast-growing concern among computer users. Side- and covert channels have particularly gained attention recently due to their potential to reveal sensitive data to untrusted parties. Side channels are information leakage channels where an adversary can decipher victim’s data through silently monitoring the computing activity via physical effects such as timing, power or electromagnetic analysis. Covert channels, in contrast, work by having a malicious insider, or trojan, who intentionally colludes with the adversary to exfiltrate secrets. Side and covert channels have become major concerns for the computer industry. In early 2018, the Meltdown and Spectre attacks demonstrated that hardware implementation effects in commercial processor hardware enabled new, previously undiscovered side-channel and covert-channel leakage. These attacks highlight the notoriety of information leakage channels, and they stress the immediate need to address the security risks resulting from them.[…]
7 new security advisories from Intel on March 12th:
Intel® Accelerated Storage Manager in RSTe Advisory
Intel® USB 3.0 Creator Utility Advisory
Intel® Software Guard Extensions SDK Advisory
Intel® Matrix Storage Manager Advisory
Intel Firmware 2018.4 QSR Advisory
Intel® Graphics Driver for Windows* 2018.4 QSR Advisory
Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology 2018.4 QSR Advisory
[…]Multiple potential security vulnerabilities in Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology may allow users to potentially escalate privileges, disclose information or cause a denial of service. Intel is releasing Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology updates to mitigate these potential vulnerabilities.[…]
Last year the Journal of Cyber Policy did a survey on firmware security:
Firmware is a cyberattack vector. While public attention focuses on cyberattacks and data breaches conducted over networks with software-borne malware, the risk of malicious code embedded in the firmware of millions of digital devices poses a potentially more serious threat to cybersecurity. This report reviews how security professionals view the firmware threat as well as their impression of the tech industry’s readiness to detect and prevent a firmware-based attack.
wprintf(L”| xtu.exe(XPM-image To UEFI-GOP-Blt-Buffer) v1.0.1 |\n”);
wprintf(L”| –MSI-RD-Krishna,2019.03.11 |\n”);
wprintf(L” xtu.exe -i [file1] -o [file2]\n”);
wprintf(L” -i [file1] //input a xpm image file.\n”);
wprintf(L” -o [file2] //output to another file.\n”);
wprintf(L” -h //show this help.\n”);
wprintf(L” xtu.exe -i image.xpm -o buffer.c //convert image.xpm to buffer.c\n”);
A powershell script to create a UEFI Boot Disk
I use a Windows 10 ISO file to create a UEFI boot disk.
Including talks such as:
Malware Buried Deep Down the SPI Flash: Sednit’s First UEFI Rootkit Found in the Wild
Straight Outta VMware: Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
BLEEDINGBIT: Your APs Belong to Us
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Rapid7 gave a presentation about IoT Security at RSA, focusing on U-Boot.