We’re both pretty excited to offer a new report. For any single make / model / revision of hardware, we’ll do an in-depth firmware security report. We will lead by posting example reports to this blog, in sections as (tagged!) blog posts, for:
- Lenovo Carbon X1 6th Generation
- Dell XPS 13 9370 (Early 2018)
- Purism Librem 15 v3
Once we’re done, you’ll be able to access the full reports as a pdfs on the corporate site:
https://preossec.com/services/single-variant-firmware-security-report/
We think it is cool enough to include the entire corporate spiel here:
$500 USD.
You ship us a single example of a current, or intended fleet machine – laptop, desktop or server, and we’ll make you a firmware security report for that system. Use this report to inform purchasing decisions, system security positioning, and improve IT procedures such as firmware updates and incident response.
Example reports available September 2018 for Lenovo Carbon X1 6th Generation, Dell XPS 13 9370 (Early 2018) and Purism Librem 15v3.
If it is an Intel x86_64 machine, we will run:
- CHIPSEC
- Firmware Test Suite (FWTS)
and include an analysis of the results in the report.
We will run all publicly available firmware and hardware vulnerability tools and check version numbers, for known issues such as:
- Intel AMT
- Intel ME
- AMD PSP
- Spectre
- Meltdown
- Microcode
- Rowhammer
We’ll include a comprehensive list of firmware on the system, and highlight potential issues such as:
- Closed source binary blobs
- Modifiable firmware
- How it can be modified (eg: desoldering and flashing chips, JTAG, I2C, etc)
- Compliance with applicable NIST standards
- Tools, updates and support availability from component manufacturer, and OEM
- Operational support, such as signed firmware updates via Windows update and Linux Vendor Firmware Service (aka: fwupd).
We will make recommendations if this system should not be used in sensitive areas such as:
- Critical Infrastructure
- DOD
- PCI
- HIPAA
- Executives (CEO, CTO, etc)
- Finance
- Legal