Kris Brosch on dumping ARM SoC firmware

November 6, 2015 ~ hucktech ~ Leave a comment

From Binni Shah’s twitter feed, Kris Brosch has a new article on Include Security blog, on obtaining a copy of the firmware of a reverse-engineered ARM SoC device:

Firmware dumping technique for an ARM Cortex-M0 SoC (using an exploit against NordicSemi ICs): https://t.co/PRFeAfsaSK

— Binni Shah (@binitamshah) November 5, 2015

“Sometimes you can get access to the firmware without touching the hardware, by downloading a firmware update file for example. More often, you need to interact with the chip where the firmware is stored. If the chip has a debug port that is accessible, it may allow you to read the firmware through that interface. However, most modern chips have security features that when enabled, prevent firmware from being read through the debugging interface. In these situations, you may have to resort to decapping the chip, or introducing glitches into the hardware logic by manipulating inputs such as power or clock sources and leveraging the resulting behavior to successfully bypass these security implementations. This blog post is a discussion of a new technique that we’ve created to dump the firmware stored on a particular Bluetooth system-on-chip (SoC), and how we bypassed that chip’s security features to do so by only using the debugging interface of the chip. We believe this technique is a vulnerability in the code protection features of this SoC and as such have notified the IC vendor prior to publication of this blog post. […]

Full article:
http://blog.includesecurity.com/2015/11/NordicSemi-ARM-SoC-Firmware-dumping-technique.html

Olimex ARM64 OSH laptop update

November 6, 2015 ~ hucktech ~ Leave a comment

Olimex is working on an Open Source Hardware-based AArch64-based laptop, based on their Open Source Hardware-based AArch64 dev board. They have a update on the system. Including some prototype pictures:

“needless to mention this window button will become Tux. :-)”

A64-OLinuXino OSHW 64-bit ARM DIY Laptop idea update

I wonder about what firmware they’ll use, and if the use will be able to update it themselves, from source….

Matthew on kernel security

November 6, 2015 ~ hucktech ~ Leave a comment

Matthew Garrett has a new blog post, on the topic of the need to improve Linux kernel security. Excerpt:

[…]
The model up until now has largely been “Fix security bugs as we find them”, an approach that fails on two levels:

1) Once we find them and fix them, there’s still a window between the fixed version being available and it actually being deployed
2) The forces of good may not be the first ones to find them

This reactive approach is fine for a world where it’s possible to push out software updates without having to perform extensive testing first, a world where the only people hunting for interesting kernel vulnerabilities are nice people. This isn’t that world, and this approach isn’t fine.
[…]

Full article:
http://mjg59.dreamwidth.org/38158.html

TCG workshop in Tokyo next month

November 5, 2015 ~ hucktech ~ Leave a comment

Today the TCG sent out a news announcement about their presence at JRF in Tokyo next month. Email header/footers removed, but body not excerpted, since no URL and only from TCG newsletter.

You’re Invited to Attend the Annual Japan Regional Forum (JRF) Workshop in Tokyo on December 2, 2015.

Date/Time: Wednesday, December 2, 2015 13:30 – 19:30

Venue: Akihabara UDX Next 1 – Tokyo, Japan

The Japan Regional Forum (JRF) will be hosting its annual Open Workshop on Wednesday, December 2, 2015 at Akihabara UDX in Tokyo.

This 7th annual JRF Workshop is open to both members of the Trusted Computing Group (TCG) and non-members who are interested in TCG activities and issues around security.

This event provides an excellent opportunity to learn global trends and challenges in IoT, Automotive, and Embedded System, and get deep understanding through the discussions through the event.

The program includes a keynote address from David Grawrock, Senior Principal Engineer of Intel on TPM core features for Trustworthy in IoT Era. In addition, Koji Ono, Technical Sales, Consumer & Partner Group OEM at Microsoft Japan will lead a session on security feature of Windows 10 for IoT and Mark Schiller, Executive Director of the Trusted Computing Group will introduce TCG efforts for embedded system and IoT as well as benefit of joining TCG.

Other speakers include Shinji Sato, IPA (Information-technology Promotion Agency, Japan), Shinichi Horata, IPCERT/CC (Japan Computer Emergency Response Team Coordination Center), and Ryo Kurachi, TCG Invited Expert from Nagoya University.

The session is followed by reception with food & drink and will provide a great opportunity to network with speakers and members of the TCG. TCG technology demo showcase will also be available for attendees.

If you are interested in attending this event please visit the TCG JRF website (Japanese) at http://www.trustedcomputinggroup.org/jp/jrfworkshop .

Registration will close on Wednesday, November 25, 2015.

More info:
http://www.trustedcomputinggroup.org/jp/jrfworkshop

Open Compute Project’s new Firmware focus group

November 5, 2015November 5, 2015 ~ hucktech ~ Leave a comment

The Open Compute Project’s Hardware group is starting a new Firmware focus group, focusing on UEFI Forum and DMTF technologies. The group is led by Mallik Bulusu of Microsoft and Vincent Zimmer of Intel.

“During our last meeting, we had a very good discussion about standardizing UEFI interfaces and what make sense and does not make sense. There is also a need to standardize and streamline FW updates, define bare metal provisioning scenarios and interfaces, extend security framework to include auditing and monitoring, UEFI configuration management, etc. Also, our alliance groups (UEFI, DMTF) are working on similar or closely related technologies. We want to make sure we work closely with them to make sure we are aligned. Towards that end, Mallik Bulusu and Vincent Zimmer are willing to bootstrap this effort and lead a subgroup that is focused on this. Anyone interested in this topic and willing to contribute please send an email to Mallik and Vincent expressing your interest. The goal here is to a) come up with a specification that capture OCP member specification and b) working with our members and alliance partners to get buy-in and implementations for those specs. We will discuss this further in our upcoming monthly meeting.”

For more information, see the posting on the OCP Hardware Management list, and their next upcoming monthly meeting.

http://lists.opencompute.org/pipermail/opencompute-hardwaremngt/2015-November/000668.html

new Windows PDB tool: pdb_type_theft.py

November 5, 2015 ~ hucktech ~ Leave a comment

As pointed out by ZDI, Dustin Childs of HP Security Research (HPSR) wrote an article on Windows binaries and symbols, and how some symbolic information is missing from current binaries, and how he wrote a new tool — pdb_type_theft.py — to extract the missing information from old binaries.

Missing the structures from the latest Windows symbols? @WanderingGlitch reveals the secret to finding them. http://t.co/9fwn0lYVTP #debug

— Zero Day Initiative (@thezdi) October 12, 2015

In August of this year, Microsoft published an update to NTDLL and along with it, released updated symbols for debugging. These symbols are available as PDBs (program databases). Unfortunately, the symbols that were released contain type information that is missing standard structures and enumerations. As a result, debugging applications on Windows became a far more involved task. Microsoft is aware of the issue but has yet to release updated PDBs that rectify this issue. While they are working on it, I found myself wondering if I could avoid their involvement altogether. Barring any changes to the structures and enumerations, the information from previous versions of the PDBs should still be valid. As such, if I could copy the type information from a previous PDB and inject it into the current PDB, I’d theoretically be able to have everything I expect from a working build process. […] This script requires having a PDB with the type information you want available to copy into another PDB. If you are not in the habit of snapshotting your VMs after every update, the following links may be helpful […]

Full article and source:
http://community.hpe.com/t5/Security-Research/PDB-Type-Theft/ba-p/6801065
https://github.com/thezdi/scripts/blob/master/pdb_type_theft.py

(If you’ve read a few blog entries, you know that I misspell things a lot. Sorry. The other day, Microsoft finally made the PDB spec public, and I blogged on it, calling it “PDF”. Sigh.)

Blackberry’s Priv to get monthly security updates

November 5, 2015 ~ hucktech ~ Leave a comment

Jimmy Westenberg has written a story on Android Authority about Blackberry committing to monthly security updates for their Android devices:

#blackberry Priv to receive monthly Android security patches https://t.co/HQGCL1Kopo pic.twitter.com/jvUqVWUOKS

— Android Authority (@AndroidAuth) November 4, 2015

In wake of the recent Stagefright vulnerability in Android, many OEMs have been committing to monthly security-focused updates for their devices. Companies such as Samsung, LG and Google have all committed to putting a bigger focus on security patches, and now we can add BlackBerry to that list as well. BlackBerry has just released some detailed information as to how it plans to keep its upcoming Android-powered handset, the Priv, up to date with the latest security patches as they become available to the public. Specifically, the company says it will release monthly updates to users who have purchased the Priv through shopblackberry.com. If you happen to purchase your device from a carrier or authorized retailer, though, you might need to wait a bit longer. […]

Full story:
http://www.androidauthority.com/blackberry-priv-monthly-security-updates-653542/

This is great news, glad to see more than one carrier with this policy.

Modern device trust issues

November 5, 2015 ~ hucktech ~ Leave a comment

Altaf Hussain of Freescale has a nicely-written article on device trust in Axiom:

https://twitter.com/AvnetDesignWire/status/661974412296630272

Not too long ago, a factory could close its gates and guard its doors to ensure security and safety inside. However, to get the same level of security in today’s interconnected world, a factory must also carefully protect electronic communication in and out of the factory. This type of “information security” is already happening everyday on the web – conduct a simple Google search for “trust” and you’ll notice that Hypertext Transfer Protocol Secure (HTTPS) is used to provide secure, encrypted communication. However, securing electronic communication is not enough. Factories must also guard against potential threats from unsecured information entering the physical environment (such as a USB pen drive carrying a Trojan horse brought from outside the factory). To begin evaluating who or what can be trusted, system builders and buyers of industrial networking applications must consider the following questions:

* Are the devices real or clones?
* Is the device manufactured using my components and software?
* Is this my application code and third party code I bought?
* Is this my data?
* Is this an authorized operator?

To ensure that all the answers are “YES”, there has to be a root of trust all the way from the component, through the application, to the communication link. Now the question is: how is this root of trust achieved? […]

Full article below. Also see end of article for URL to PDF edition:
http://design.avnet.com/axiom/who-can-you-trust/?UTM_Campaign=na-frs-axm-twt-aug2015

Intel IoT technology update

November 5, 2015 ~ hucktech ~ Leave a comment

Rick Merritt has an article in EE Times, covering multiple stories on new Intel’s IoT-related offerings, including new Quarks, and IoT OS releases (Rocket and Pulsar) from Intel’s Wind River:

#Intel fills out #IoT portfolio with Quark processors, OSes and cloud software https://t.co/ZVQBYlKQC4 @IEEEIoT @Iotworldnews @IOTResearch

— Rick Merritt (@rickbmerritt) November 3, 2015

http://www.eetimes.com/document.asp?doc_id=1328176

Open Hardware video on TED

November 5, 2015 ~ hucktech ~ Leave a comment

As posted on the Open Manufacturing list, there’s a new video on open hardware on TEDxMarid, available on Youtube:

Revolution of the open hardware | Bram Geenen | TEDxMadrid

“Wevolver is essentially a GitHub for hardware.”
https://www.wevolver.com/

Phoronix news

November 4, 2015 ~ hucktech ~ Leave a comment

Earlier, I used to post stories I found on Phoronix. But these days that means too many posts, I can’t keep up with Phoronix, so I’m assuming if you care about Linux-based firmware security, you’re also reading Phoronix.com for their excellent news. For example, here’s a few of the recent stories:

http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.4-ACPI-PM
http://www.phoronix.com/scan.php?page=news_item&px=TPM-2.0-Security-Linux-4.4
http://www.phoronix.com/scan.php?page=news_item&px=EFI-Updates-Linux-4.4

Michael makes better use of tags than I do as well:

https://www.phoronix.com/scan.php?page=news_topic&q=coreboot
https://www.phoronix.com/scan.php?page=news_topic&q=Hardware
https://www.phoronix.com/scan.php?page=news_topic&q=Intel
https://www.phoronix.com/scan.php?page=news_topic&q=AMD
https://www.phoronix.com/scan.php?page=news_topic&q=Linux%20Kernel
https://www.phoronix.com/scan.php?page=news_topic&q=NVIDIA
https://www.phoronix.com/scan.php?page=news_topic&q=Virtualization

ZeroNights

November 4, 2015 ~ hucktech ~ Leave a comment

ZeroNights is coming up this December in Moscow. There are multiple firmware security-related presentations at this event,

Not only will Nikolaj Schlej will be speaking on UEFI, perhaps his first conference presentation?

Nikolaj Schlej @NikolajSchlej "Fix it yourself: resolving UEFI vulnerabilities single-handedly" #ZeroNights

— ZeroNights (@ZeroNights) September 1, 2015

But there are at least two other firmware-related presentations:

Alexander Ermolov "Modifying the firmwares of industrial switches" #ZeroNights

— ZeroNights (@ZeroNights) September 28, 2015

Alexander Matrosov @matrosov "Attacking hypervisors using firmware and hardware" #ZeroNights

— ZeroNights (@ZeroNights) October 26, 2015

They also have a Hardware Hacking Village. Looks like a fun conference.

http://2015.zeronights.org/agenda.html
http://2015.zeronights.org/workshops.html

Details on C.H.I.P. board

November 4, 2015 ~ hucktech ~ Leave a comment

Drew Fustini has a very nice presentation on the new Open Source Hardware C.H.I.P. board by Next Thing Co:

New post in the Open Source Hardware blog on @element14:
Hands on with @nextthingco #CHIP:https://t.co/hKAwkcTOO9 pic.twitter.com/rF2P2ZdpQx

— @pdp7@mastodon.social (@pdp7) November 3, 2015

http://www.element14.com/community/groups/open-source-hardware/blog/2015/10/29/hands-on-with-chip-the-worlds-first-nine-dollar-computer

Lots of information about this new open source hardware board!

http://nextthing.co/

If you’ve not been watching the Open Source Hardware blog, check it out:

http://www.element14.com/community/groups/open-source-hardware/blog/

Google to merge Android and ChromeOS?

November 4, 2015 ~ hucktech ~ Leave a comment

Despite Google Denials, Chrome OS and Android Seem Destined for Merger | https://t.co/teOEuOwbw5 https://t.co/hhbJAwpdIX

— vincent zimmer (@vincentzimmer) November 4, 2015

http://www.linux.com/news/embedded-mobile/mobile-linux/864465-despite-google-denials-chrome-os-and-android-seem-destined-for-merger

http://chrome.blogspot.com/2015/11/chrome-os-is-here-to-stay.html

Personally, I’d like to see Android Verified Boot and Chrome OS Verified Boot unified! 🙂

UEFI Forum’s new FW/OS Forum

November 3, 2015 ~ hucktech ~ Leave a comment

The UEFI Forum has created a new mailing list for discussion of UEFI with OS software:

https://twitter.com/Intel_UEFI/status/661623355368312832

“The FW/OS Forum is a free public forum focused on firmware and operating system (OS) integration. Developers are invited to openly discuss challenges and collaboratively identify fixes. The UEFI Forum created the FW/OS Forum in response to community input, which called for a centralized resource dedicated to troubleshooting UEFI firmware issues encountered when working with any OS. The UEFI Forum is committed to making these community discussion and feedback mechanisms effective for all users. Considering, you may see changes based on usability enhancements. FW/OS Forum members are asked to refrain from sharing any non-public information regarding specification or test tool work that is still in development, as well as any company-specific IP or UEFI Forum-specific IP. Additionally, the FW/OS Forum should not be considered a venue for bug tracking. Firmware integration issues raised within the FW/OS Forum will not be considered as formal bug fix requests; however, the information captured may be considered in future specification updates.”

http://www.uefi.org/FWOSForum

http://lists.mailman.uefi.org/mailman/listinfo/fw_os_forum

European teapots are latest IoT attack vector

November 3, 2015 ~ hucktech ~ Leave a comment

Time to start stocking up on pre-IoT devices, while you still can:

“Hema has put a recall on water kettles that could lead to dangerous situations as well as USB sticks which contain serious security vulnerabilities. The water kettle involved is Ketelbinkie with the product code 80.00.7607. Hema released a statement on their website warning of the defective water kettle, stating that the loose bottom casing causes water to run out and could promote burning. They have advised against any further use of the appliance. Customers can return the kettle to a Hema store for a full refund. The +USB Sticks, sticks with 8GB and 16GB of storage which come with free access to cloud storage, have been found to contain outdated software that is infested with errors. The discovery was made by security researchers in the Hague’s’ hackerspace, Revspace.”

http://www.nltimes.nl/2015/11/03/hema-recalls-dangerous-water-kettles-removes-usb-sticks-from-store-shelves/

At least there was some “free access to cloud storage” as part of the deal. Sheesh.

Android USB-OTG vulnerability

November 3, 2015 ~ hucktech ~ Leave a comment

Interesting story from TechWorm on a Samsung-flavored Android security issue, unclear how this impacts other vendor’s flavors of Android:

Samsung lets you hack it smartphone even with factory reset protection enabled with a USB OTG

In order to protect a Android smartphones from theives, Google introduced a new feature in Android 5.0 Lollipop. The new feature allows your phone to stay protected in the event of a factory data reset that occurs from within recovery. Android 5.0 Lollipop gives this root level protection to Android smartphone owners and it will persistently ask for the primary Google account’s password after a phone has been factory reset in this manner. This protection helps the owner in case a thief or a hacker tries to gain access to the phone. However, a Android user, RootJunky has proved that it is easy to bypass this system level protection with just a USB OTG cable and APK within 10 minutes. RootJunky recently discovered a flaw on Samsung devices which allows you to bypass the system level protection with just that. […]

Full story:

http://www.techworm.net/2015/11/samsungs-factory-reset-protection-bypassed-with-usb-otg-video.html

Android Nexus security updates for November

November 3, 2015 ~ hucktech ~ Leave a comment

Google is continuing it’s new policy of monthly Android updates for it’s Nexus line.

CVE-2015-6608, Critical, Remote Code Execution Vulnerabilities in Mediaserver
CVE-2015-6609, Critical, Remote Code Execution Vulnerability in libutils
CVE-2015-6611, High, Information Disclosure Vulnerabilities in Mediaserver
CVE-2015-6610, High, Elevation of Privilege Vulnerability in libstagefright
CVE-2015-6612, High, Elevation of Privilege Vulnerability in libmedia
CVE-2015-6613, High, Elevation of Privilege Vulnerability in Bluetooth
CVE-2015-6614, Moderate, Elevation of Privilege Vulnerability in Telephony

https://groups.google.com/forum/#!msg/android-security-updates/n1aw2MGce4E/jhpVEWDUCAAJ
https://source.android.com/devices/tech/security/enhancements/enhancements60.html

In somewhat-related Android security news, there is a new design-time vulnerability:

http://blog.trendmicro.com/trendlabs-security-intelligence/setting-the-record-straight-on-moplus-sdk-and-the-wormhole-vulnerability/
http://www.itproportal.com/2015/11/03/android-sdk-vulnerability-leaves-100-million-users-at-risk/

Motherboard.com: Hacking Team Defectors

November 3, 2015 ~ hucktech ~ Leave a comment

As pointed out to me by a friend, motherboard.com has an interesting story on Hacking Team, the group that produced a UEFI rootkit. The story has lots of interesting background on Hacker Team, …but there’s no UEFI technical content in the story:

http://motherboard.vice.com/read/the-hacking-team-defectors

CfP open for ACM IoT security workshop

November 3, 2015 ~ hucktech ~ Leave a comment

There’s a Call-for-Papers for ACM’s IoT security event, “2nd ACM Workshop on IoT Privacy, Trust, and Security (IoTPTS 2016)”:

Held in conjunction with ASIACCS 2016 in Xi’an, China from May 30 – June 3, 2016.

Paper submission: Feb 12, 2016
Author notification: March 1, 2016

We encourage submissions on all aspects of IoT privacy, trust, and security.

IoTPTS Chairs (Richard Chow and Gokay Saldamli)
iotpts2016chairs@gmail.com

https://sites.google.com/site/iotpts2016/