Eclypsium: Remotely Attacking System Firmware

August 10, 2018 ~ hucktech ~ 1 Comment

At BlackHat, Eclypsium gave a great talk with an overview of platform firmware security threats, focusing on network-based attacks, including poorly-tested OEM firmware update implementations.

Don't miss our presentation "Remotely Attacking System Firmware" with @jessemichael & @HackingThings at #BlackHat2018 tomorrow 1:30pm in South Pacific F: https://t.co/QmDabencJ3 pic.twitter.com/ipZ85gjFVE

— Alex Bazhaniuk (@ABazhaniuk) August 7, 2018

Here is the video from our @BlackHatEvents presentation "Remotely Attacking System Firmware", and as customary with such things, calculator must be involved.https://t.co/4EkAoRjeZs

— Mickey (@HackingThings) August 9, 2018

“Update Mechanism Flaws Allow Remote Attacks on UEFI Firmware” by @LindseyOD123 covering most recent research presented by @Eclypsium’s @HackingThings @jessemichael & @ABazhaniuk at #BHUSA https://t.co/XIOp6ZszJl

— Yuriy Bulygin (@c7zero) August 8, 2018

Black Hat 2018: Update Mechanisms Allow Remote Attacks on UEFI Firmware

https://www.blackhat.com/us-18/briefings/schedule/index.html#remotely-attacking-system-firmware-11588

Booting the Mac: loading boot.efi and Secure Boot

August 10, 2018 ~ hucktech ~ 1 Comment

Booting the Mac: loading boot.efi and Secure Boot https://t.co/h6xBXlkI72

— Howard Oakley, Eclectic Light Co (@howardnoakley) August 10, 2018

Booting the Mac: loading boot.efi and Secure Boot

MicroPython for UEFI and Intel MicroPython-based UEFI test framework released

August 10, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/03/20/intel-implementing-micropython-as-a-uefi-test-framework/

MicroPython for UEFI systems is available, see Brian’s edk2-devel list posting and the Tianocore wiki for more details:

https://lists.01.org/pipermail/edk2-devel/2018-August/028339.html

https://github.com/tianocore/edk2-staging/tree/MicroPythonTestFramework

https://github.com/tianocore/edk2-staging/tree/MicroPythonTestFramework/MicroPythonPkg

https://github.com/tianocore/edk2-staging/tree/MicroPythonTestFramework/MpyTestFrameworkPkg

https://micropython.org/

Free Software Foundation certifies 2 new devices for ‘Respect Your Freedom’ program

August 6, 2018 ~ hucktech ~ Leave a comment

Actually, these two devices were certified back in May, recent FSF RYF program activity is a status update:

The Zerocat Chipflasher and Minifree Libreboot X200 Tablet are now both certified to Respect Your Freedom. Our program helps users to find hardware that they can trust to come with freedom inside: https://t.co/a1MnYPzP55

— Free Software Foundation (FSF) @fsf@hostux.social (@fsf) August 2, 2018

Re: ChipFlasher: https://firmwaresecurity.com/2018/05/30/zerocat-chipflasher/

https://www.fsf.org/blogs/licensing/respects-your-freedom-certification-program-continues-to-grow

https://www.fsf.org/resources/hw/endorsement/respects-your-freedom

http://www.zerocat.org/shop-en.html

https://minifree.org/product/libreboot-x200-tablet/

Lenovo joins Linux Vendor Firmware Service (fwupd)

August 6, 2018 ~ penglish0 ~ Leave a comment

Paul again: I’m happy to see that Lenovo has joined the LVFS (aka: fwupd) for Linux! Our firmware security report (https://preossec.com/services/single-variant-firmware-security-report/) on the X1 Carbon 6th generation will reflect this fact. Congratulations to LVFS and Lenovo – sounds like it was a lot of work!

https://blogs.gnome.org/hughsie/2018/08/06/please-welcome-lenovo-to-the-lvfs/

BUSSide: a hardware hacking tool

August 6, 2018 ~ hucktech ~ Leave a comment

Non destructive (SPI flash) firmware dumping https://t.co/FB2SegcBhk with the BUSSide https://t.co/eXDYD8m8T6 and @infosectcbr

— Silvio Cesare (@silviocesare) August 6, 2018

http://busside.com.au/

https://store.bsidescbr.com.au/products/busside

FOSSbytes: How To Enter BIOS Utility (UEFI Settings) On All PCs And Boot From USB?

August 6, 2018 ~ hucktech ~ Leave a comment

Different manufacturers assign a specific key (or key combination) to boot into BIOS/UEFI directly. In this article, we hope to provide the possible keys in all PC to enter UEFI or BIOS mode[…]

How To Enter BIOS Utility (UEFI Settings) On All PCs And Boot From USB?

Article has a table with entries of most OEMs.

Regarding XDA’s stance on Huawei’s decision to stop bootloader unlocking

August 5, 2018 ~ hucktech ~ Leave a comment

Regarding XDA's stance on Huawei's decision to stop bootloader unlocking https://t.co/8muEHOqJHO pic.twitter.com/fj998VfThH

— XDA (@xdadevelopers) August 4, 2018

Back in April, Huawei’s form to request a bootloader unlock code mysteriously disappeared. Late May, the form returned but with a warning that the service would no longer work after 60 days. As promised, Huawei’s form is no longer available, meaning it’s no longer possible to unlock the bootloader of Huawei or Honor devices. This has obviously been disappointing to many users on our forums, but it’s been especially disappointing for us, the XDA Portal team. Some have wondered when we would be addressing the elephant in the room – that is, Honor’s sponsorship agreements with XDA – in light of this recent news. Here’s where we stand.[…]

https://www.xda-developers.com/xda-huawei-decision-stop-bootloader-unlocking/

VivienneVMM: a stealthy debugging framework implemented via an Intel VT-x hypervisor

August 5, 2018 ~ hucktech ~ Leave a comment

VivienneVMM – a stealthy debugging framework implemented via an Intel VT-x hypervisorhttps://t.co/FlqzkvI5dx

— Nicolas Krassas (@Dinosn) August 4, 2018

VivienneVMM is a stealthy debugging framework implemented via an Intel VT-x hypervisor. The driver exposes a hardware breakpoint control interface which allows a user mode client to set and clear breakpoints. These breakpoints are invisible to the guest.

https://github.com/changeofpace/VivienneVMM

BlueHat v18: First STRONTIUM UEFI Rootkit Unveiled

August 5, 2018 ~ hucktech ~ Leave a comment

@jiboutin and I will be there to present the first publicly known Sednit/APT28's UEFI rootkit. Very excited about it! #APT28 #Sednit #UEFI #Rootkit https://t.co/52SD8GSUSE

— Freddrickk (@Freddrickk_) August 2, 2018

Microsoft is proud to announce the schedule for #BlueHatv18. The conference will be held Sept 25-27, 2018 in Redmond, WA. Thank you to all who submitted abstracts for consideration. This is a strong schedule. #bluehat https://t.co/vvHQL0KVIk

— Phillip Misner (@phillip_misner) August 2, 2018

https://blogs.technet.microsoft.com/bluehat/2018/08/02/announcing-the-bluehat-v18-schedule/

New! Single Make / Model / Revision Firmware Security Report from PreOS Security

August 4, 2018 ~ penglish0 ~ Leave a comment

We’re both pretty excited to offer a new report. For any single make / model / revision of hardware, we’ll do an in-depth firmware security report. We will lead by posting example reports to this blog, in sections as (tagged!) blog posts, for:

Lenovo Carbon X1 6th Generation
Dell XPS 13 9370 (Early 2018)
Purism Librem 15 v3

Once we’re done, you’ll be able to access the full reports as a pdfs on the corporate site:

https://preossec.com/services/single-variant-firmware-security-report/

We think it is cool enough to include the entire corporate spiel here:

$500 USD.

You ship us a single example of a current, or intended fleet machine – laptop, desktop or server, and we’ll make you a firmware security report for that system. Use this report to inform purchasing decisions, system security positioning, and improve IT procedures such as firmware updates and incident response.

Example reports available September 2018 for Lenovo Carbon X1 6th Generation, Dell XPS 13 9370 (Early 2018) and Purism Librem 15v3.

If it is an Intel x86_64 machine, we will run:

CHIPSEC
Firmware Test Suite (FWTS)

and include an analysis of the results in the report.

We will run all publicly available firmware and hardware vulnerability tools and check version numbers, for known issues such as:

Intel AMT
Intel ME
AMD PSP
Spectre
Meltdown
Microcode
Rowhammer

We’ll include a comprehensive list of firmware on the system, and highlight potential issues such as:

Closed source binary blobs
Modifiable firmware
- How it can be modified (eg: desoldering and flashing chips, JTAG, I2C, etc)
- Compliance with applicable NIST standards
- Tools, updates and support availability from component manufacturer, and OEM
- Operational support, such as signed firmware updates via Windows update and Linux Vendor Firmware Service (aka: fwupd).

We will make recommendations if this system should not be used in sensitive areas such as:

Critical Infrastructure
DOD
PCI
HIPAA
Executives (CEO, CTO, etc)
Finance
Legal

MrChromebox has UEFI updates for Skylake/Kabylake Chromeboxes

August 3, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/MrChromebox/status/1025217121410850816

https://mrchromebox.tech/

zircon-uefi: mirror of the zircon UEFI headers

August 3, 2018August 3, 2018 ~ hucktech ~ Leave a comment

There’s a new mirror of the Google Fuschsia UEFI headers:

https://github.com/no92/zircon-uefi

See-also:

https://fuchsia.googlesource.com/zircon/+/master/docs/ddk/driver-development.md

https://en.wikipedia.org/wiki/Google_Fuchsia

UEFI bootloader for Google Fuchsia

FBI: Cyber Actors Use IoT Devices as Proxies for Malicious Cyber Activities

August 2, 2018 ~ hucktech ~ Leave a comment

Reboot your IoT Devices regularly!

FBI Releases Article on Securing the Internet of Things https://t.co/fsPmGXrC1L

— CISA Cyber (@CISACyber) August 2, 2018

https://www.ic3.gov/media/2018/180802.aspx

https://www.ic3.gov/media/2017/171017-1.aspx

“Reboot devices regularly, as most malware is stored in memory and removed upon a device reboot. It is important to do this regularly as many actors compete for the same pool of devices and use automated scripts to identify vulnerabilities and infect devices.”

https://www.us-cert.gov/ncas/tips/ST17-001

https://www.us-cert.gov/ncas/current-activity/2018/08/02/FBI-Releases-Article-Securing-Internet-Things

https://www.us-cert.gov/ncas/tips/ST17-001

CVE-2018-3968: Cisco using outdated U-boot in Cujo

August 2, 2018 ~ hucktech ~ Leave a comment

Let’s hope Cisco Talos will let Mitre/NVD about the details soon. No info on the Talos or Cisco security sites, nor even *Twitter*!, AFAICT. 🙂

https://lists.denx.de/pipermail/u-boot/2018-August/336973.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3968

——– Forwarded Message ——–
Subject: [U-Boot] Talos Security Advisory (TALOS-2018-0633/CVE-2018-3968 )
Date: Thu, 2 Aug 2018 18:52:03 +0000

Hello,

Cisco Talos team discovered a security issue impacting Cujo product using an outdated version of U-boot. We’ve assigned a CVE for this issue (CVE-2018-3968) and have attached a copy of the security advisory provided to Cujo.

Disclose.io Legal Framework for Security Researchers

August 2, 2018 ~ penglish0 ~ Leave a comment

Paul again.

As far as I know, this is the first effort to tidy up and standardize the legalities around bug bounty programs. Security research is already legally fraught, particularly in the US. Bug bounty programs that pay meaningful amounts are clearly a great step, but there have already been multiple instances of security researchers attempting to do the right thing, and being thwarted by the process – more, and standardized legal protection should help.

https://arstechnica.com/information-technology/2018/08/new-open-source-effort-legal-code-to-make-reporting-security-bugs-safer/

Are there any bug bounty programs in the firmware and/or hardware domain directly?

Apple has one that covers their (low SKU) product line, but things get complicated when a shipping system has components from so many distinct providers and a manufacturer makes so many SKUs. Seems like the buck should still stop at the integrated system manufacturer – eg: Dell, Lenovo, HP, Supermicro, etc, and at the component manufacturer for components that can be replaced – HDDs, SSDs, discrete PCIe devices.

Duo Security purchased by CISCO

August 2, 2018 ~ penglish0 ~ Leave a comment

Paul writing again. Soon you’ll learn to check the byline, or notice that I’m a lot more wordy than Lee (Hucktech).

https://www.cnbc.com/2018/08/02/cisco-buys-security-start-up.html

Duo Security pays more attention than most to platform firmware security, and have done R&D and released open source software in the space. Previously:

Duo Labs releases: IDAPython, Coretex M Firmware and Amnesia modules

Duo on Apple firmware security (and new EFIgy release)

Notably, EFIgy:

https://github.com/duo-labs/EFIgy/

Blog has second poster: Paul English of PreOS Security

August 2, 2018 ~ hucktech ~ Leave a comment

So far, this blog has been my daily education, writing down URLs of things I learn that day. A few people also feed me interesting URLs. Paul English, co-founder of PreOS Security[1], has been giving me more and more links, so I’ve asked him to deal with them, instead of asking me to do posts on those URLs. 🙂

This is Paul’s first post:

Meet Us At Black Hat USA 2018

He’s also trying to help fix the WordPress-based site to be more usable. It looks like the font has already changed.

[1] https://preossec.com/

Back Doors for Cross-Signed Windows Drivers

August 2, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/geoffchappell/status/1024757182687010818

Four undocumented registry values vary the default validation of signatures on kernel-mode code such that Windows 10 may allow cross-signed drivers when it is otherwise documented as requiring Microsoft-signed drivers. This may be welcome for running your own drivers on your own computers without having to send them to Microsoft. Or it may be an unwelcome exposure to software that would install drivers by surprise, including to let malware elevate from administrative access to kernel-mode execution. Setting these values requires administrative access. Their action is subject to System Integrity policy, which provides the best defence.[…]

http://www.geoffchappell.com/notes/security/whqlsettings/

Meet Us At Black Hat USA 2018

August 1, 2018 ~ penglish0 ~ 1 Comment

Management here – we’ll be at Black Hat USA 2018.. next week. If you’ll be there, be sure and stop by our Arsenal Tools Demo Wednesday, August 8 | 2:30pm-3:50pm, Station #5.

https://www.blackhat.com/us-18/arsenal/schedule/index.html#firmware-audit-platform-firmware-security-automation-for-blue-teams-and-dfir-11359

We’ll be around before and after, attending talks and available for meetings. If you think your employer should be doing more platform firmware security, we’d love to talk! Email to set up a meeting:

blackhatusa2018@preossec.com