https://twitter.com/HollyGraceful/status/1107784102353268737

I’m currently writing up a series on hardware hacking fundamentals, and before I get into the specifics – I thought it sensible to add a piece on why hardware security is important and to lay out the major themes of what I’ll be discussing. Firstly, with physical devices, the attackers have more options when it comes to attacking the devices and it should be noted that breaking a specific device might not be the final aim. As an attacker over the internet, I only have exposed network services to “play” with, but if I’m testing a physical device the attack surface can be much wider. With options including network services, radio frequency input/output, on-chip debugging, exposed serial ports, memory extraction, etc, etc.[…]

First post in blog series:
https://www.gracefulsecurity.com/introduction-to-hardware-hacking/

The next 5 posts are available, look in reverse order here:
https://www.gracefulsecurity.com/author/hollygraceful/

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.[…]

https://techbizweb.com/hacking-microcontroller-firmware-through-a-usb/

“Karta” (Russian for “Map”) is an IDA Python plugin that identifies and matches open-sourced libraries in a given binary. The plugin uses a unique technique that enables it to support huge binaries (>200,000 functions), with almost no impact on the overall performance.

https://research.checkpoint.com/karta-matching-open-sources-in-binaries/

https://github.com/CheckPointSW/Karta

Scary to see Razer deals with platform security!

“After trying for a month to get this dealt with via HackerOne, I’m bringing this public. All current Razer laptops are shipped in Intel Manufacturing Mode, and have full R/W on the SPI flash. This is a direct repeat of CVE-2018-4251. This is still not fixed.”

“Hey! Thanks for mentioning us. Our Systems Team would like to check on this. Could you please tell us more about the challenges with your Razer laptop via DM and we’ll take it there.”

This isn’t just a “challenge” with my Razer laptop, but a security vulnerability in _all_ Razer laptops.

New Features:
* acpi: madt: Add support for ACPI 6.3
* lib: fwts_acpi_tables: add a new function to check reserved values

See full announcement for list of other bugfixes (mostly ACPI-related).

http://fwts.ubuntu.com/release/fwts-V19.03.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/18.06.00
https://launchpad.net/ubuntu/+source/fwts

https://lists.01.org/pipermail/luv/2019-March/003069.html

Some of the updates that caught my eye:

Clang has new options to initialize automatic variables with a pattern. The default is still that automatic variables are uninitialized. This isn’t meant to change the semantics of C and C++. Rather, it’s meant to be a last resort when programmers inadvertently have some undefined behavior in their code. These options aim to make undefined behavior hurt less, which security-minded people will be very happy about.[…]

-mspeculative-load-hardening Clang now has an option to enable Speculative Load Hardening.

Clang now supports enabling/disabling speculative load hardening on a per-function basis using the function attribute speculative_load_hardening/no_speculative_load_hardening.

Function attribute speculative_load_hardening has been introduced to LLVM IR to allow indicating that Speculative Load Hardening must be enabled for the function body.

Support for Speculative Load Hardening has been added to AArch64 target.

Support for precise identification of X86 instructions with memory operands, by using debug information. This supports profile-driven cache prefetching. It is enabled with the -x86-discriminate-memops LLVM Flag.

http://releases.llvm.org/8.0.0/docs/ReleaseNotes.html
http://releases.llvm.org/download.html#8.0.0
http://releases.llvm.org/8.0.0/tools/clang/docs/ReleaseNotes.html
http://releases.llvm.org/8.0.0/tools/clang/tools/extra/docs/ReleaseNotes.html
http://releases.llvm.org/8.0.0/tools/lld/docs/ReleaseNotes.html
http://releases.llvm.org/8.0.0/projects/libcxx/docs/ReleaseNotes.html
http://lists.llvm.org/pipermail/llvm-announce/2019-March/000082.html

[…]Device-local verified boot bypass (persistence methods): CUJO uses Das U-Boot’s “Verified Boot,” an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO’s eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system’s bootloaders. We identified two vulnerabilities that bypass these protections. We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images’ signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot. As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details. TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system’s integrity.[…]

https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html

https://www.talosintelligence.com/reports/TALOS-2018-0633/

Hardwear.io has been based in Europe (Netherlands) since it’s start in 2015. But this year, it will not only be in Netherlands, but ALSO in Berlin and Santa Clara! The CfP is open for Santa Clara and Netherlands.

https://www.hardwear.io/

PS: Hardwear organizers:
Please consider submitting your events to https://www.cfptime.org/

https://twitter.com/insomniacslk/status/1107527660660355072

Facebook has a new blog post with information about their internal firmware usage:

https://code.fb.com/data-center-engineering/f16-minipack/

Many interesting presentations at this event!

Side-Channel assessment of Open Source Hardware Wallets
Side-Channel Attack on Mobile Firmware Encryption
LEIA: the Lab Embedded ISO7816 Analyzer A Custom Smartcard Reader for the ChipWhisperer
iDRACKAR, integrated Dell Remote Access Controller’s Kind Approach to the RAM
WEN ETA JB? A 2 million dollars problem
Everybody be cool, this is a robbery!
IDArling, la première plateforme de rencontre entre reversers
Journey to a RTE-free X.509 parser
DLL shell game and other misdirections
Mirage : un framework offensif pour l’audit du Bluetooth Low Energy
GUSTAVE : Fuzz It Like It’s App
Dissection de l’hyperviseur VMware
Watermarking électromagnétique de drones
Résultats et solution du challenge
Russian Style (Lack of) Randomness
Le quantique, c’est fantastique !
Ethereum: chasse aux contrats intelligents vulnérables
Analyse de sécurité d’un portefeuille matériel sur smartphone
V2G Injector: Whispering to cars and charging units through the Power-Line
Analyse de firmwares de points d’accès, rétro-ingénierie et élévation de privilèges
Under the DOM: Instrumentation de navigateurs pour l’analyse de code JavaScript
SourceFu, utilisation de l’interprétation partielle pour la “deobfuscation” de sources

https://www.sstic.org/2019/programme/

Re: https://firmwaresecurity.com/2019/02/21/uefi-forum-webinar-secure-coding/

https://uefi.org/node/3942

The video is uploaded to Youtube.

Suggestion for UEFI Forum: It would be nice if the you added a link to the uploaded video on their Past Events page, so there would be more value in having a “Past Events” page…

I am not sure, but I believe the Apple tech support article on Secure Boot was recently updated.

https://support.apple.com/en-us/HT208330

https://github.com/abhishek-kumar-code/redfishtool_nsfcac

See-also:

http://http-prompt.com/

One of the useful features of Apache (or indeed any competent web server) is the ability to use client side certificates. All this means is that a certificate from each end of the TLS transaction is verified: the browser verifies the website certificate, but the website requires the client also to present one and verifies it. Using client certificates, when linked to your own client certificate CA gives web transactions the strength of two factor authentication if you do it on the login page. I use this feature quite a lot for all the admin features my own website does.[…]

Using TPM Based Client Certificates on Firefox and Apache

TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.

https://pulsesecurity.co.nz/articles/TPM-sniffing

https://github.com/denandz/lpc_sniffer_tpm

Slides from the RISC-V Workshop Taiwan on coreboot status:

Click to access Firmware_Freedom-coreboot_for_RISC-V.pdf