“Idea: you send us secure boot pubkey hashes, we fuse them on your ordered USB armory, from that moment to your door nobody else can use it.”
We need OEMs that build machines like this, and the Stateless Laptop of Invisible Things Lab.
Category: Uncategorized
Exploiting D-Link webcams
Vectra Labs has a blog post on how easy it is to attack U-Boot-based D-Link webcams, using simple tools like BusPirate, FlashROM, and BinView. I wonder if the U-Boot in question was using U-Boot Verified Boot or not? At a higher level, this blog seems to be a good example of how insecure the current generation of IoT devices are, and how much (or little) you should rely on such devices.
[…] Conclusion
So does all this mean that D-Link’s web camera has a major security issue? Not necessarily – we get what we pay for, and asking a vendor who sells a webcam on Amazon for $30 to provide safe firmware update features which would require a TPM or a specialized chip to verify the content and signature of a software update is not very realistic. Rather the point of this demonstration is to highlight the real impact that IoT devices pose to the attack surface of a network. As we’ve shown, the barriers to hacking these devices are relatively low, and even the most basic devices can provide the plumbing for a persistent command-and-control channel. While these devices are low-value in terms of hard costs, they still matter to the security of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.
*Vectra disclosed the issue to D-LInk in early December 2015. As of January 7, 2016, the company has not provided a fix.
Full post:
http://blog.vectranetworks.com/blog/turning-a-webcam-into-a-backdoor
https://www.grahamcluley.com/2016/01/easy-convert-cheap-webcam-network-backdoor/
http://www.techworm.net/2016/01/heres-how-a-cheap-webcam-can-be-converted-into-network-backdoor.html
Samsung ADBI
https://twitter.com/msolnik/status/695312632769679360
From the github readme:
Android Dynamic Binary Instrumentation (ADBI) tool for tracing Android native layer. ASBI is a tool for dynamically tracing Android native layer. Using this tool you can insert tracepoints (and a set of corresponding handlers) dynamically into the process address space of a running Android system. When the tracepoint is hit your custom handler (which can be written in C) is executed. You can deliver your own code through the handlers. It is possible to access process variables and memory. Host side tool written in Python communicates with the native adbiserver process (which resembles the gdb-server in its operation) and translates source level symbols into addresses within the final binaries. As of authors knowledge this is a first such tool for ARM (including ARM64) architecture. ADBI tool was developed in Samsung Poland R&D Center located in Warsaw, Poland as a research project for new development tools and process improvement.
Sample features:
* Generates function trace from Android native user space
* Allows for dynamically driven trace configuration
* Can measure time between instructions for profiling
* Injects custom code into running process
* Can modify and reimplement running native applications
Benefits:
* No recompilation of debugging application is needed
* Can see what exactly happens in Android native layer
* Finding problem areas, tracking down strange bugs more manageable
* Better system knowledge, faster product delivery
https://github.com/samsung/adbi
See also the original ADBI:
https://github.com/crmulliner/adbi
http://www.mulliner.org/android/
http://www.frida.re/
coreboot update
The coreboot project does regular blog posts on their project status, which is very nice. (By comparison, the UEFI Forum doesn’t do any such status updates of their Tianocore EDK-II codebase. Neither does the U-Boot project, AFAICT. For all 3, you can track their source tree, and for UEFI you can track their occasional spec updates. But coreboot’s status updates make it a lot easier to see what is happening with the project, without reading source deltas and sifting through threads of checkin emails.)
Last week, coreboot just released version 4.3. The current blog post mentions that version 4.4 is expected towards the end of April. In the last week, they had 30 authors — including 8 new authors! — with 131 commits. A brief excerpt from their blog post, on board support changes during last week:
“We had significant updates to a number of mainboards and the related chipsets in the past week as well. Intel had a large number of changes for their Braswell SoC and its reference board, Strago, merged this week. These included fixes for GPIOs, clocks, SD cards, and thermal support, as well as FSP integration updates. The Asus kgpe-d16 mainboard, along with the AMD Fam10h-Fam15h processor directory and the SB700 soutbridge had numerous patches to improve stability, fix IRQ routing and APIC identification, and improve ACPI. The winbond w83667hg-a was added to the coreboot codebase for the board as well. The Intel d510mo board had some improvements related to native graphics initialization, GPIOs and ACPI. The gigabyte ga-g41m-es2l and the Intel x4x northbridge code had some general cleanup and improvements to cbmem and memory initialization. We also saw the introduction of the initial framework for the new Intel Apollo Lake SoC. We’ll be seeing many more patches related to Apollo Lake in the coming weeks. Other changes of note included code to initialize the PS/2 aux port, a way to access memory address 0 without GCC “optimizing” it into a crash, and the addition of some documentation from Intel about developing new FSP based boards and chipsets. Finally, the Intel sklrvp Skylake reference board was dropped in favor of using the kunimitsu board.”
Full post:
FMK QEMU firmware analysis video tutorial
Daniel Miessler points out that Craig Smith has a video tutorial on firmware analysis of QEMU-based systems and FMK.
https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/
This is episode 12.1, I missed the earlier ones, and it appears there are other firmware-related episodes to catch up on.
Matthew speaking on TPM security
[Update: URL to video:
]
Matthew Garrett of CoreOS is speaking on TPM security at LinuxConf.AU today!
If you are not attending, we can hope that they make video available shortly. 🙂
Troublesome Privacy Measures: using TPMs to protect users
Trusted Platform Modules (or TPMs) are small cryptographic chips frequently found integrated in mobile devices. When they first appeared in the early 2000s we were worried that they’d be used to restrict what users could do with their computers. For a variety of reasons, that didn’t happen, and since then TPMs have mostly sat unused. But now we face a new era, one where threats to user freedom are of a more chilling nature. Modern malware is capable of attacking lower levels of a system, making it difficult for a user to determine whether their computer can be trusted to behave in their best interests. New threats require new countermeasures, and TPMs may be part of the solution. This presentation will cover the use of TPMs as part of a boot security process that makes it easier for users to verify that their system hasn’t been compromised. It will explain what TPMs actually are, what they can be realistically used for and how the devices that we once feared for their impact on user freedom may be one of the best ways we currently have to defend it.
http://linux.conf.au/schedule/30202/view_talk?day=friday
https://linux.conf.au/wiki/Main_Page
http://linux.conf.au/
Hex-Rays Decompiler plugin for IDA, updated for OS X
If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.
http://www.surrendercontrol.com/2016/02/more-ida-pro-plugins-for-os-x.html
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin/v2.0%20%5BBlackHat%20Edition%5D/IDA%20v6.8/Mac
The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.
It has multiple experienced contributors:
Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)
Dell adds UEFI ‘auto-remediate’ boot security tool
From Vincent Zimmer’s twitter feed, Dell is taking action regarding firmware boot security in some of their new devices:
Exerpting from the Network World story by Agam Shah:
[…] As a hacked UEFI is hard to to fix, Dell’s new security tool offers an alternative method. At boot, the tool verifies a UEFI snapshot with an identical copy in the cloud and can notify a user or system administrator of any inconsistency. A copy of the UEFI can then be reloaded on the computer to fix the problem. That’s just a start. The company is working on a feature in which hacked UEFI can “auto-remediate” itself, said David Konetski, executive director in the Client Solutions Office of the CTO at Dell. He did not share when that feature would be in PCs. […]
Ted Reed of Facebook has a different opinion on Dell’s tactics:
IMO the wrong approach, just use a verified boot or invest dev resources into an attestation, but need more deets
https://t.co/0xC2sfnU6W
— Teddy Reed (@teddyreedv) February 4, 2016
This is today’s big news on UEFI, bumping the last few days of Apple/LegbaCore:
http://www.businesswire.com/news/home/20160204005352/en/Dell-Secure-PCs-Industry-Secure-BIOS-Verification
http://www.networkworld.com/article/3029615/dell-is-stepping-in-to-protect-the-boot-layer-of-pcs-tablets.html
http://www.anandtech.com/show/10010/dell-to-add-offhost-bios-verification-to-endpoint-security-suite-enterprise
http://www.computerworld.com/article/3029981/security/dell-will-protect-the-boot-layer-of-pcs-tablets.html
http://www.infoworld.com/article/3029646/security/dell-is-stepping-in-to-protect-the-boot-layer-of-pcs-tablets.html
http://www.pcworld.com/article/3029620/security/dell-is-stepping-in-to-protect-the-boot-layer-of-pcs-tablets.html
AMD announces HSAIL GDB and GPU Debug SDK
https://twitter.com/AMDDevCentral/status/694917557195825152
Budi Purnomo of AMD posted a message on the GPUopen.com site, about AMD’s GPUOpen initiative, including HSAIL GDB and a related AMD GPU Debug SDK for it. These both sound very interesting, thanks AMD!
Today as part of AMD’s GPUOpen initiative, we are happy to announce the release of HSAIL GDB version 1.0 (prebuilt binary and source code). This is AMD’s first debugger product that is built based on the new GCN debugger core technology. HSAIL GDB marks our first step toward building a rich debugging ecosystem for HSA and HCC. Using HSAIL GDB, you can debug the execution of host CPU code and GPU agent kernel code (at the HSAIL language level) in a single debug session. HSA applications, including HCC and HIP, are supported on AMD APU platforms. To learn more about the capability of HSAIL GDB, I encourage you to read through the HSAIL GDB tutorial. In addition, we also released a new AMD GPU Debug SDK (pre-built binary and source code). This AMD GPU Debug SDK enables tool vendors to build their own rich GPU debugging ecosystem for AMD platforms based on the same GCN debugger core technology introduced within HSAIL GDB. The hardware based implementation provided in the GCN debugger core technology is a vast improvement over the previous debugger implementation provided in the AMD CodeXL OpenCL™ debugger which relies on repeated kernel recompilation and replay. Using the GCN debugger technology, we are able to stop all the massively parallel threads in the GPU at a breakpoint, inspect the machine state by reading registers and memory, and then resume and execute all the GPU threads. The instruction pointer at the ISA level can be correlated with the HSAIL line. This project is the result of much hard work from the hardware and software teams within AMD over the past several years requiring much innovation in the hardware, firmware, kernel mode driver, user mode driver, runtime, compiler and the tools domain. […]
Full announcement:
http://gpuopen.com/hsail-gdb-hsail-level-debugger-with-amd-gcn-debug-technology/?sf20229050=1
https://github.com/HSAFoundation/HSA-Debugger-AMD/
I know nothing about firmware for GPUs, a lot to learn on this topic… 😦
Microsoft releases EMET 5.5
If you use Windows, you should probably check out EMET:
https://twitter.com/MattT_Cyber/status/694920707474530304
As Wikipedia describes: Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a freeware security toolkit for Microsoft Windows . It provides a unified interface to enable and fine-tune Windows security features. It can be used as an extra layer of defence against malware attacks, after the firewall and before antivirus software.
http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=50766&WT.mc_id=rss_windows_allproducts
https://en.wikipedia.org/wiki/Enhanced_Mitigation_Experience_Toolkit
Bunnie’s new book: The Essential Guide to Electronics in Shenzhen
Bunnie has a new book out, available via Crowdsupply, called “The Essential Guide to Electronics in Shenzhen“:
“A sourcing tool designed to help non-Mandarin speakers navigate the Hua Qiang electronics market. Going to Shenzhen, China is a massive enabler for Makers, hackers, and entrepreneurs alike. The Essential Guide to Electronics in Shenzhen is the book I wish I had when I first stepped foot into China a decade ago. I started visiting the Shenzhen electronic markets about 10 years ago. There, I learned about supply chains and how to mass-produce hardware. Over the years, I’ve blogged about my experiences in Shenzhen: ‘MLTalk with Joi Ito, Nadya Peek and Me’ and ‘Products over Patents’, and given tours of the markets to parties ranging from graduate students at the MIT Media Lab, to VCs and executives. I’ve spent a lot of time on the ground in Shenzhen figuring out how to build my (often quirky) pet projects, ranging from my own version of a Shanzhai phone to a bespoke ARM-based laptop, to interactive conference badges that encourage participants to breed unique light patterns through virtual sexual reproduction. With your help, we can add to that list a book that will help readers transform their own dreams into products. ” […]
https://www.crowdsupply.com/sutajio-kosagi/the-essential-guide-to-electronics-in-shenzhen
Protecting Linux from systemd’s EFI attack
Peter Jones of Red Hat has submitted a patch to the Linux-EFI mailing list, which helps with the recent systemd attack against Linux’s EFI. Patchset email excerpted below:
Preventing “rm -rf /sys/firmware/efi/efivars/” from damage
Here’s a patchset to make all the variables in efivarfs that aren’t well known to be reasonably safe to delete be immutable by default. This should alleviate the danger of somebody accidentally using “rm” to remove some proprietary file that turns out to be important to the platform, which for some reason it also can’t regenerate during POST. In all cases this is just preventing the user from accidentally triggering a major security problem with their underlying firmware, but stopping accidents isn’t a bad thing. These firmwares still need CVEs and updates to fix them. Maybe using ESRT and fwupd 🙂
For more information, see the linux-efi mailing list archives.
Tianocore transitioned to Github
Jordan Justen of Intel announced the transition of the Tianocore EDK2 project from Sourceforge to Github. Transition began Friday February 2nd and is apparently now complete. It is a big deal when a large codebase moved to another version control system… excerpting Jordan’s status message:
And, for months, quite a few people at Intel have been working behind the scenes to get everything ready for the transition. Thanks!
Merry EDK II Git Day!
More information:
https://github.com/tianocore/tianocore.github.io/wiki/Transition-to-GitHub
https://lists.01.org/mailman/listinfo/edk2-devel
Note there is also an #edk2 channel on OTFC, http://www.oftc.net/
Apple acquires Legbacore — in the news again!
Back in November, Apple hired Legbacore’s hardware/firmware experts to help secure Apple hardware.
Ok, that was months ago. But for the last week, the above URL re-appeared on this blog’s stats as the most visited URL. Then, a few days later, there’s now a slew of stories on this, like it just happened today. Today, this is the top store on Google News for UEFI. Strange, how tech news works.
http://appleinsider.com/articles/16/02/02/apple-hires-firmware-security-experts-who-worked-on-thunderstrike-2-exploit
http://www.macrumors.com/2016/02/02/apple-acquired-legbacore/
http://thenextweb.com/apple/2016/02/03/apple-acquired-the-security-company-that-found-bugs-in-mac-firmware/
http://timesofindia.indiatimes.com/tech/tech-news/Apple-acquired-the-company-that-exposed-flaws-in-its-firmware/articleshow/50837174.cms
http://www.businessinsider.com/apple-hired-the-hackers-who-created-the-first-mac-firmware-virus-2016-2
http://www.engadget.com/2016/02/03/apple-legbacore-thunderstrike-acquisition/
http://www.patentlyapple.com/patently-apple/2016/02/apple-acquired-legbacore-to-advance-security-for-macs.html
http://gadgets.ndtv.com/laptops/news/apple-buys-security-firm-legbacore-that-exposed-vulnerabilities-in-os-x-797979
http://www.bidnessetc.com/62638-apple-inc-acquires-mac-virus-detector-legbacore/
I am eagerly awaiting to see the results of their work, I hope future macs have a “Legbacore”-ready logo on it, or something so I know it’s better than the older hardware. 🙂
Nokia announces NetGuard, IoT security tool
Excerpting press release:
Espoo, Finland – Nokia has launched the NetGuard Security Management Center, bolstering its security solution family at a time when threats linked to an ever-connected world are on the rise. NetGuard Security Management Center is a consolidated, easy-to-use software platform that lets an operator monitor and control all the multi-vendor security systems deployed across its telecommunications network. Combining the monitoring and configuration of different systems in one place enhances security because incidents can be analyzed and correlated centrally to protect against threats that could otherwise go undetected by isolated security systems. As well as the quick and easy detection and prevention of attacks, NetGuard Security Management Center also increases operational efficiency and lowers the total cost of security for operators through automated and consistent mass configuration of security policies, bulk firmware upgrades and verification of vendor-specific security hardening settings. Security Management Center at a glance:
* Security Management Center integrates all network security systems, regardless of vendor, to monitor security status and manage incidents, vulnerabilities, security policies and network access.
* The solution watches for threats in networks by proactively detecting security weaknesses and correlating them according to its internal database.
* Security analytics are then applied by a rules-based, configurable decision-making engine that triggers automatic corrective action or helps operators implement a manual response.
* The system optimizes the configuration of security parameters and thus reduces the risk of network infrastructure attacks.
* Unlike vertical solutions dedicated to protecting network elements, Security Management Center offers a comprehensive view of the whole network, correlating events coming from typically isolated layers such as radio access, transport, core and operations to detect and mitigate a wider range of threats.
[…]
Full press release:
http://company.nokia.com/en/news/press-releases/2016/02/02/nokia-launches-first-all-in-one-centralized-security-configuration-monitoring-and-analysis-system-for-operators-mwc16
Hardware security at Security B-Sides Seattle
This month is B-Sides Seattle, and there are 3 hardware workshops (Attacking USB, JTAG, and Arduino) one by Joe (SecurelyFitz) and two by Matt (CryptoMonkey):
http://www.securitybsides.com/w/page/103147483/BsidesSeattle2015
https://www.eventbrite.com/e/bsides-seattle-2016-tickets-19822367234
I think I heard Matt say this was the last time he was offering this Attacking USB training…
Note that Joe also has training at CanSecWest and Black Hat, in addition to B-Sides Seattle..
https://www.blackhat.com/us-16/training/applied-physical-attacks-on-x86-systems.html
https://cansecwest.com/dojos/2016/advanced_hardware.html
Dell info on Linux firmware updates
Regarding the new firmware update service available for Linux OEMs:
https://firmwaresecurity.com/tag/fwupd/
There is a new article from Dell on this topic:
(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)
I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux. To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5. Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel. For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware. Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS). Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]
Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):
UEFITool/UEFIExtract/UEFIFind updated
Nikolaj Schleg has updated UEFI Tool, and UEFI Extract and UEFI Find, with a fe new features and fixes:
* improved parsing of Intel flash descriptor
* improved detection of Tiano/EFI 1.1 compression type
* added 2 UEFI capsule GUIDs used by Lenovo
* solved potential crash on very low memory available
* UEFIExtract and UEFIFind update to include the latest parser changes
Alpha version of new UEFITool 0.30.0_alpha19 released for early adopters, still no image editing possible in this release.
VirtualBox 5.0.14 released
https://twitter.com/OTNSystemsHub/status/689898049057849346
5.0.14 is a maintenance release. The prior release, 5.0.12, had a fix to their EFI support.
More information:
https://blogs.oracle.com/virtualization/entry/oracle_vm_virtualbox_5_013
https://www.virtualbox.org/
https://www.virtualbox.org/wiki/Changelog
Smashing the Stack revived
Nice, a classic ASCII document, “Smashing the Stack for Fun & Profit“, by Aleph One, has been revisited, with rich infographics and heavy formatting by avicoder!
Firmware Security 
You must be logged in to post a comment.