Paul again: I’m happy to see that Lenovo has joined the LVFS (aka: fwupd) for Linux! Our firmware security report (https://preossec.com/services/single-variant-firmware-security-report/) on the X1 Carbon 6th generation will reflect this fact. Congratulations to LVFS and Lenovo – sounds like it was a lot of work!
We’re both pretty excited to offer a new report. For any single make / model / revision of hardware, we’ll do an in-depth firmware security report. We will lead by posting example reports to this blog, in sections as (tagged!) blog posts, for:
- Lenovo Carbon X1 6th Generation
- Dell XPS 13 9370 (Early 2018)
- Purism Librem 15 v3
Once we’re done, you’ll be able to access the full reports as a pdfs on the corporate site:
We think it is cool enough to include the entire corporate spiel here:
You ship us a single example of a current, or intended fleet machine – laptop, desktop or server, and we’ll make you a firmware security report for that system. Use this report to inform purchasing decisions, system security positioning, and improve IT procedures such as firmware updates and incident response.
Example reports available September 2018 for Lenovo Carbon X1 6th Generation, Dell XPS 13 9370 (Early 2018) and Purism Librem 15v3.
If it is an Intel x86_64 machine, we will run:
- Firmware Test Suite (FWTS)
and include an analysis of the results in the report.
We will run all publicly available firmware and hardware vulnerability tools and check version numbers, for known issues such as:
- Intel AMT
- Intel ME
- AMD PSP
We’ll include a comprehensive list of firmware on the system, and highlight potential issues such as:
- Closed source binary blobs
- Modifiable firmware
- How it can be modified (eg: desoldering and flashing chips, JTAG, I2C, etc)
- Compliance with applicable NIST standards
- Tools, updates and support availability from component manufacturer, and OEM
- Operational support, such as signed firmware updates via Windows update and Linux Vendor Firmware Service (aka: fwupd).
We will make recommendations if this system should not be used in sensitive areas such as:
- Critical Infrastructure
- Executives (CEO, CTO, etc)
As far as I know, this is the first effort to tidy up and standardize the legalities around bug bounty programs. Security research is already legally fraught, particularly in the US. Bug bounty programs that pay meaningful amounts are clearly a great step, but there have already been multiple instances of security researchers attempting to do the right thing, and being thwarted by the process – more, and standardized legal protection should help.
Are there any bug bounty programs in the firmware and/or hardware domain directly?
Apple has one that covers their (low SKU) product line, but things get complicated when a shipping system has components from so many distinct providers and a manufacturer makes so many SKUs. Seems like the buck should still stop at the integrated system manufacturer – eg: Dell, Lenovo, HP, Supermicro, etc, and at the component manufacturer for components that can be replaced – HDDs, SSDs, discrete PCIe devices.
Paul writing again. Soon you’ll learn to check the byline, or notice that I’m a lot more wordy than Lee (Hucktech).
Duo Security pays more attention than most to platform firmware security, and have done R&D and released open source software in the space. Previously:
Management here – we’ll be at Black Hat USA 2018.. next week. If you’ll be there, be sure and stop by our Arsenal Tools Demo Wednesday, August 8 | 2:30pm-3:50pm, Station #5.
We’ll be around before and after, attending talks and available for meetings. If you think your employer should be doing more platform firmware security, we’d love to talk! Email to set up a meeting: