Category: Uncategorized

Brandon Wilson from DerbyCon: Intercepting USB Traffic

~ hucktech ~ Leave a comment

DerbyCon just finished. Brandon Wilson gave a presentation called “Intercepting USB Traffic for Attack and Defense”

BadUSB reminded the world about the dangers of maliciously intelligent USB devices such as flash drives with modified firmware, but little has been released to effectively defend against the threat. A customizable man-in-the-middle USB connection can not only do that, but provide even more benefits to both attackers and defenders, such as modifying or denying specific traffic (similar to a USB write blocker) or bypassing mass storage restrictions in a locked-down corporate environment. In this talk, I will explain how to easily assemble a USB passthrough device using cheap, existing hardware and flash it to either attack ‘secure’ environments, or isolate yourself from untrustworthy or potentially malicious peripherals. Instructions for purchasing the hardware, assembling it, and code for several different scenarios will be released and demonstrated.
Brandon Wilson is an independent security researcher and software developer. He has more than a decade of experience in reverse-engineering embedded systems and protocols, from graphing calculators to gaming consoles to flash drives. He has appeared in numerous publications such as the Wall Street Journal and Wired, and also collects DMCA takedown notices for fun.

Video of the presentation (this video crashed my browser, so don’t view this link if you have anything important in your browser):

http://www.irongeek.com/i.php?page=videos/derbycon5/stable32-intercepting-usb-traffic-for-attack-and-defense-brandon-wilson

https://www.derbycon.com/derbycon-2015-schedule-and-abstract/
http://www.irongeek.com/i.php?page=videos/derbycon5/mainlist

BIOS, MBR, and the 0x87C00 mystery

~ hucktech ~ Leave a comment

Binni Shah tweeted about a BIOS blog post by Masahiko Sakamoto:

Excerpt of initial post, with all the questions, and none of the answers:

Why BIOS loads MBR into 0x7C00 in x86? The mysteries arround “0x7C00” in x86 architecture bios bootloader? Do you know “0x7C00”, a magic number, in x86 assembler programming ? “0x7C00” is the memory address which BIOS loads MBR (Master Boot Record, a first sector in hdd/fdd) into. OS or bootloader developer must assume that their assembler codes are loaded and start from 0x7C00. But…1st, you may wonder. “I read all of Intel x86(32bit) programmers manual, but did not found the magic number 0x7C00.” Yes. 0x7C00 is NOT related to x86 CPU. It’s natural that you couldn’t find out it in cpu specifications from intel. Then, you wonder, “Who decided it ?” You may wonder: “0x7C00 is 32KiB – 1024B at decimal number. What’s this number means ?” Anyone decided it. But, why he/she decided such a halfway address? Hum…There’re TWO questions (mysteries) arround the magic number “0x7C00”. Who decided “0x7C00”? What “0x7C00 = 32KiB – 1024B” means? Okay, let’s dive into the secret of BIOS for “IBM PC 5150”, ancestor of modern x86(32bit) PCs, with me…!!

Full post:

http://www.glamenv-septzen.net/en/view/6

Linaro LAVA changes

~ hucktech ~ Leave a comment

LAVA is a Continuous Integration tool for testing firmware, pre-OS environment, and embedded OSes, including QEMU-based systems as well as live hardware. Linaro is refactoring the code, which will impact test code and their running validation service, as well as renaming Linaro-Validation to lava-devel. The lava-users and lava-announce lists still exist. Neil Williams of Linaro announced some changes to LAVA, after discussing things at last week’s Linaro Connect. Excerpts of anouncement:

The LAVA dispatcher is being refactored and this had led to advancements and modifications in the lava-server as well as a completely re-written job submission format. LAVA is retaining compatibility *only* with the Lava Test Shell Definitions (the YAML files people are currently using) and there can be no automated way of converting existing JSON job submissions to the new job submission format (which uses YAML to allow for comments, amongst other improvements). The refactoring introduces a lot of benefits, including much more robust communication between the workers and the master, removal of configuration on the workers so that admins only change things in one place, a lot of new methods within the dispatcher to support new types of test and a much cleaner, more modular, codebase for future development. The timetable for these changes is expected to cover most of 2016.

The LAVA developers would ask that everyone running LAVA would subscribe to at least the lava-announce mailing list, to help with the migration to the new support.

Full announcement:
https://lists.linaro.org/pipermail/lava-announce/2015-September/000000.html

More information:
https://sfo15.pathable.com/meetings/302656
https://sfo15.pathable.com/meetings/303074
https://validation.linaro.org/
https://lists.linaro.org/mailman/listinfo/lava-users
https://lists.linaro.org/mailman/listinfo/linaro-validation

Next Thing Co’s CHIP mini-computer

~ hucktech ~ Leave a comment

Alpha versions of this $9 (shipping not included) open hardware system have shipped, the Kickstarter page  has been updated.

https://www.kickstarter.com/projects/1598272670/chip-the-worlds-first-9-computer/posts/1355196
http://nextthing.co/#
http://liliputing.com/2015/09/9-chip-mini-computer-starts-shipping.html

Humorously, the system ships without firmware, it appears that customers have to (or get to, depending on your POV) to do that:
https://nextthingco.zendesk.com/hc/en-us/sections/201702957-Gettting-Started-with-C-H-I-P-

DHS-funded Boeing self-destructing hardware

~ hucktech ~ Leave a comment

Boeing is working on a Black phone, which has strong physical security features. Quoting the story from NextGov:

The Department of Homeland Security is funding a Boeing company to create a “brain chip” for its self-destructing Black smartphone that could be adapted for any device, DHS officials say. The technology powering the devices potentially could identify the user’s walking style, for example. Officials would be alerted if the gait does not match the authorized user’s walk – a red flag the phone might have fallen into the wrong hands, officials said.  The “secret sauce” of the mobile device is a so-called neuromorphic computer chip that simulates human learning, Vincent Sritapan, the program manager for DHS’ mobile device security program, told Nextgov.

http://www.nextgov.com/cybersecurity/2015/09/dhs-wants-boeing-test-brain-chip-firms-self-destructing-black-spyphone/121697/

Boeing’s ‘Black’ Smartphone to come with ‘Self-Destructing’ Chip


http://news.softpedia.com/news/us-government-interested-in-boeing-s-self-destructing-smartphone-chip-492885.shtml

Will Purism include this in their upcoming smartphone and tablets? Half 🙂

Android SafetyNet and Device Verification

~ hucktech ~ Leave a comment

A few Android news sites have a story about why Google Pay won’t work on rooted Android devices, and how Jason Clinton of Google posted a message on the XDA forum with more details on why this happens. Excerpt of Jason’s post:

While the platform can and should continue to thrive as a developer-friendly environment, there are a handful of applications (that are not part of the platform) where we have to ensure that the security model of Android is intact. That “ensuring” is done by Android Pay and even third-party applications through the SafetyNet API. As you all might imagine, when payment credentials and–by proxy–real money are involved, security people like me get extra nervous. I and my counterparts in the payments industry took a long, hard look at how to make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model. We concluded that the only way to do this for Android Pay was to ensure that the Android device passes the compatibility test suite–which includes checks for the security model. The earlier Google Wallet tap-and-pay service was structured differently and gave Wallet the ability to independently evaluate the risk of every transaction before payment authorization. In contrast, in Android Pay, we work with payment networks and banks to tokenize your actual card information and only pass this token info to the merchant. The merchant then clears these transactions like traditional card purchases.

Full post:
http://forum.xda-developers.com/google-nexus-5/general/android-pay-custom-rom-t3199843/post62981452#post62981452

A bit more on Android SafetyNet API, from their web site:

“SafetyNet provides services for analyzing the configuration of a particular device, to make sure that apps function properly on a particular device and that users have a great experience. The service provides an API your app can use to analyze the device where it is installed. The API uses software and hardware information on the device where your app is installed to create a profile of that device. The service then attempts to match it to a list of device models that have passed Android compatibility testing. This check can help you decide if the device is configured in a way that is consistent with the Android platform specifications and has the capabilities to run your app.”

https://source.android.com/compatibility/cts/index.html
https://developer.android.com/training/safetynet/index.html

http://news.softpedia.com/news/google-explains-why-android-pay-won-t-work-on-rooted-phones-492854.shtml

Google security engineer explains why Android Pay doesn’t work on rooted devices

 

Intel EFI Disk Utilities

~ hucktech ~ Leave a comment

Intel has a set of disk utilities, for creating/checking GPT partitions and FAT file systems. They aren’t included in TianoCore’s EDK2 with the other BSD-licensed UEFI Shell commands. These tools ship separately, with a separate license, presumably due to the tool’s knowledge of FAT file system format. Here’s a brief description of the tools, as excerpted from the download license:

Microsoft EFI Utilities: The term “Microsoft EFI Utilities” shall mean the Guided Partition Table utilities Diskpart (Disk partitioning utility), Efifmt (EFI Format utility) and Efichk (EFI Check Disk utility) stored in a file named GPT_UTIL.zip.

To get the tools, you have to agree to the license on this page, if so you get to download a zip. Then you have to read the readme in that zip, to get the password for the other included zip, which contain the actual tools. Lawyer-designed.

http://www.intel.com/technology/efi/agree_diskutil.htm

The tools come with source, not just binary. They didn’t compile for me, this morning: I think they require a much older EDK2 environment to build. But at least they ship with source, though it is not BSD-licensed Open Source. The tools are old enough that they still use “EFI”, not the newer “UEFI” term.

I wish Intel could donate these tools to the UEFI Forum, so that Intel- *AND* ARM-based users could benefit. TianoCore already has a FAT license, for it’s file system driver. Adding these tools to that package would eliminate one FAT-centric license, and bundle FAT-centric tools along with the FAT-centric file system driver. It would be nice for TianoCore to be able to fix/create ESPs, not just run from ESPs created elsewhere. Perhaps use the Disk Util common code for some other UEFI-based file system diagnostic tools for file systems that UEFI ships, eg UFS, maybe UDF.

Cisco malware-detection tool

~ hucktech ~ Leave a comment

Cisco has a new tool to help with malware detection:

The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT worked with internal teams and customers to acquire copies of the malware. Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware. Note: This tool can only detect hosts responding to the malware “knock” as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures. The tool was developed in Python and requires Python version 2.7 along with the scapy v2.3.1 packet manipulation library. During its operation, the tool injects custom crafted packets at the Ethernet layer (layer 2) and monitors and parses the responses. This functionality requires that the tool be run with root privileges.

http://blogs.cisco.com/security/talos/sysadmin-phish

http://blogs.cisco.com/talos

http://blogs.cisco.com/security/talos/synful-scanner

Linux Luddites podcast on Ron Minnich

~ hucktech ~ Leave a comment

As found on the coreboot blog, episide 49 of Linux Luddites podcast, from last month, has a firmware focus.

With Android’s security woes making even the mainstream press, it’s hardly surprising that they featured in our news this show. But we also found time to bring you stories about Fedora and Ubuntu, FFmpeg, a couple of Kickstarter projects with very different outcomes, and a similarly mixed bag of news for Lenovo. Ron Minnich has long been associated with Open Source firmware, and after the news we spoke to him about the coreboot project. In our interview we found out why Ron is so enthusiastic about Google’s Chromebooks, discovered his hopes for a new RISC ISA from Berkeley, and quizzed him on whether Purism can really deliver on their promise of a modern and truly FOSS mass-market laptop.

https://linuxluddites.com/shows/episode-49/

Linux Luddites interview Ron Minnich

Linaro Connect presentations online

~ hucktech ~ Leave a comment

Linaro Connect is happening in San Francisco. They’ve got their presentations online, including a few firmware-related and security-related talks. I like the “Advanced Toolchain Usage” series.

http://www.linaro.org/blog/linaro-connect-2015-kicks-off-in-san-francisco/
http://www.linaro.org/blog/day-2-of-linaro-connect-sfo15/
https://www.linaro.org/blog/day-3-of-linaro-connect-sfo15/
https://www.linaro.org/blog/day-4-of-linaro-connect-sfo15/

Nikolaj Schlej series on UEFI security!

~ hucktech ~ Leave a comment

Nikolaj Schlej, of UEFITool fame, has a series of articles on UEFI security; so far there are 4 parts to this series. It is written in Russian. If you can’t use translation tools effectively — like me — this series is a good time to start to learn. Here’s the excerpted output of Google Translate of the first paragraph of part 1:

In this article, we will focus on models of threats and attack vectors on UEFI, as well as protection against overwriting the contents of the chip BIOS – the most devastating of the possible consequences of an attack. If you are curious about how to protect UEFI and which vulnerabilities in it and remain uncorrected in most modern systems – welcome under the cut.

http://habrahabr.ru/users/CodeRush/topics/

part 1:
http://habrahabr.ru/post/266935/

part 2:
http://habrahabr.ru/post/267197/

part 3:
http://habrahabr.ru/post/267237/

part 4:
http://habrahabr.ru/post/267491/

Kylin

~ hucktech ~ Leave a comment

Quoting Wikipedia, “Kylin is an operating system developed by academics at the National University of Defense Technology in the People’s Republic of China since 2001. It is named after the mythical beast qilin. The first versions were based on FreeBSD and were intended for use by the Chinese military and other government organizations. With version 3.0 Kylin became Linux-based, and there is a version called NeoKylin which was announced in 2010. In 2013, it was announced that a new Linux-based operating system with the same name would be released using Ubuntu. The first version, Ubuntu Kylin 13.04, was released on 25 April 2013.

QZ.com has a new review of this OS, including some screenshots:

http://qz.com/505383/a-first-look-at-the-chinese-operating-system-the-government-wants-to-replace-windows/

I still don’t know what firmware it uses. I’ve not found the source code yet. 😦

More Information:

http://www.kylinos.com.cn/
http://www.kylin-os.com/products/os/
http://www.cassc.org.cn/english/product_of_kylin.htm
https://en.wikipedia.org/wiki/Kylin_%28operating_system%29

MITRE Copernicus

~ hucktech ~ 1 Comment

MITRE Copernicus was — AFAICT — the first public firmware vulnerability analysis tool. I’ve not given it enough coverage here, only a single post:

MITRE Copernicus

I presume that everyone already knows about it. If you don’t know about it, it is worth investigating

It appears that MITRE hasn’t updated Copernicus, in a while, at least I can’t find any. I just noticed that Xeno of LebaCore, formerly of MITRE and one of the Copernicus developers, gave an URL to the latest version of it, which is a public download:

The same URL to that zip is in the below mini-review for BIOS Diff, a cross-platform open source firmware utility that is included in Copernicus:

Tool mini-review: bios_diff.py

Copernicus is Windows-centric, and public release is closed-source, including the driver. I wish there was another host for it, in addition to blackhat.com, a domain commonly attacked by hacker. I wish it was hosted in another place, and included a .SHA256 and OpenPGP .ASC sidecar files for verfication. I REALLY wish the sources to the Windows driver were published!

Looking forward to another version of Copernicus, or some other new tools from LegbaCore!

 

TPM updates for Linux Shim and GRUB

~ hucktech ~ Leave a comment

Matthew Garrett has updated the Linux UEFI Shim and GRUB to support, based on some Trusted Grub patchset. He’s written a blog post with useful details on this update.

More information:

https://github.com/mjg59/shim/tree/tpm

https://github.com/mjg59/grub

http://mjg59.dreamwidth.org/37656.html

Firmware security is main feature of new HP printers

~ hucktech ~ Leave a comment

Excerpting their press release:

HP Announces World’s Most Secure Printers: New HP LaserJets include built-in self-healing security features with protection down to the BIOS

HP today announced three new enterprise class LaserJet printers that deliver increased protection against malicious attacks. The stronger security is part of a broader HP strategy to provide the deepest security across PCs and printers. Printer security is a topic of growing importance. According to the Ponemon Institute, 64 percent of IT managers believe their printers are likely infected with malware. At the same time, 56 percent of enterprise companies ignore printers in their endpoint security strategy.(1) To help address this gap, HP is delivering its new HP LaserJet Enterprise printers and multi-function printers (MFPs) with industry-leading security features(2) built in, including:

* HP Sure Start enables detection of and self-healing recovery from malicious BIOS attacks, extending the same BIOS security protecting HP’s Elite line of PCs since 2013 to the new HP LaserJet Enterprise printers.
* Whitelisting ensures only known, good firmware can be loaded and executed on a printer.
* Run-time Intrusion Detection is a new feature providing in-device memory monitoring for malicious attacks. It was developed in partnership with Red Balloon Security, an embedded device security company started by researchers from Columbia University. The company has done extensive research for several government agencies, as well as private sector companies in industries such as telecommunications and controller systems.

These new features will be standard on new HP LaserJet Enterprise printers and OfficeJet Enterprise X printers with HP PageWide Technology going forward. With a firmware update, these three features can also be enabled on several HP LaserJet Enterprise printers available since April. In addition, Whitelisting and Run-time Intrusion Detection can be added to many existing HP LaserJet Enterprise printers and OfficeJet Enterprise X printers launched since 2011 through an HP FutureSmart service pack update. FutureSmart is HP firmware that helps protect customers’ investments in HP Enterprise printers by enabling delivery of new capabilities via updates.

It would be nice to see firmware security as a major feature of all new devices! 🙂

Full announcement:
http://www8.hp.com/us/en/hp-news/press-release.html?id=2083105&pageTitle=HP-Announces-World%E2%80%99s-Most-Secure-Printers

HP printer firmware information page:
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03933242

Costin’s embedded firmware security thesis

~ hucktech ~ Leave a comment

Thesis:
Large scale security analysis of embedded devices’ firmware
Costin, Andrei
Embedded systems are omnipresent in our everyday life and are becoming increasingly present in many computing and networked environments. For example, they are at the core of various Common-Off-The-Shelf (COTS) devices such as printers, video surveillance systems, home routers and virtually anything we informally call electronics. The emerging phenomenon of the Internet-of-Things (IoT) will make them even more widespread and interconnected. Cisco famously predicted that there will be 50 billion connected embedded devices by 2020. Given those estimations, the heterogeneity of technology and application fields, and the current threat landscape, the security of all those devices becomes of paramount importance. In addition to this, manual security analysis does not scale. Therefore, novel, scalable and automated approaches are needed. In this thesis, we present several methods that make feasible the large scale security analysis of embedded devices. We implemented those techniques in a scalable framework that we tested on real world data. First, we collected a large number of firmware images from Internet repositories. Then we unpacked a large subset of them and performed simple static analysis. This resulted in the discovery of many new vulnerabilities. Also, this allowed us to identify five important challenges. Embedded devices often expose web interfaces for remote administration. Therefore, we developed techniques for large scale static and dynamic analysis of such interfaces. This allowed us to find a large number of new vulnerabilities and to identify the limitations of emulation and web security tools. Finally, identifying and classifying the firmware files is difficult, especially at large scale. For these reasons, we proposed Machine Learning (ML) techniques and features for firmware files classification. Also, we developed multi-metric score fusion approaches to fingerprint and identify embedded devices at the web interface level. Using these techniques, we were able to discover a large number of new vulnerabilities in a large number of firmware packages, affecting a great variety of vendors and device classes. We were also able to achieve high accuracy in fingerprinting and classification of both firmware images and live devices.

http://s3.eurecom.fr/~costin/

Looking forward to final research! In the mean time, here’s the USENIX 2014 papers:

A Large Scale Analysis of the Security of Embedded Firmwares
Andrei Costin, Jonas Zaddach, Aurélien Francillon, Davide Balzarotti
Proceedings of the 23rd USENIX Security Symposium (USENIX Security)

Click to access usenixsec14_costin.pdf

Click to access usenixsec14_costin.slides.pdf

There are a LOT of other interesting firmware malware research papers here, as well:
http://www.eurecom.fr/en/research/results-research/thesis
http://www.eurecom.fr/fr/la-recherche/departement-reseaux-et-securite/les-publications