Uncategorized

New! Single Make / Model / Revision Firmware Security Report from PreOS Security

We’re both pretty excited to offer a new report. For any single make / model / revision of hardware, we’ll do an in-depth firmware security report. We will lead by posting example reports to this blog, in sections as (tagged!) blog posts, for:

  • Lenovo Carbon X1 6th Generation
  • Dell XPS 13 9370 (Early 2018)
  • Purism Librem 15 v3

Once we’re done, you’ll be able to access the full reports as a pdfs on the corporate site:

https://preossec.com/services/single-variant-firmware-security-report/

We think it is cool enough to include the entire corporate spiel here:

$500 USD.

You ship us a single example of a current, or intended fleet machine – laptop, desktop or server, and we’ll make you a firmware security report for that system. Use this report to inform purchasing decisions, system security positioning, and improve IT procedures such as firmware updates and incident response.

Example reports available September 2018 for Lenovo Carbon X1 6th Generation, Dell XPS 13 9370 (Early 2018) and Purism Librem 15v3.

If it is an Intel x86_64 machine, we will run:

  • CHIPSEC
  • Firmware Test Suite (FWTS)

and include an analysis of the results in the report.

We will run all publicly available firmware and hardware vulnerability tools and check version numbers, for known issues such as:

  • Intel AMT
  • Intel ME
  • AMD PSP
  • Spectre
  • Meltdown
  • Microcode
  • Rowhammer

We’ll include a comprehensive list of firmware on the system, and highlight potential issues such as:

  • Closed source binary blobs
  • Modifiable firmware
    • How it can be modified (eg: desoldering and flashing chips, JTAG, I2C, etc)
    • Compliance with applicable NIST standards
    • Tools, updates and support availability from component manufacturer, and OEM
    • Operational support, such as signed firmware updates via Windows update and Linux Vendor Firmware Service (aka: fwupd).

We will make recommendations if this system should not be used in sensitive areas such as:

  • Critical Infrastructure
  • DOD
  • PCI
  • HIPAA
  • Executives (CEO, CTO, etc)
  • Finance
  • Legal
Standard

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s