BlackHat-USA-2019: videos online

The videos from BlackHat-US-2019 are on Youtube now:

For example:

Platform Security Summit ‏ 2019 date set

The Platform Security Summit for 2019 will be in Redmond, WA (West Coast). Last year it was in Fairfax, VA (East Coast). I’m guessing there’ll be more talks from Microsoft this year. 🙂

The web site still talks about the 2018 event, the above tweet is the only “CFP” I have yet seen for the 2019 event.

Videos from last year:

Open Source Firmware track at LinuxFestNorthWest 2019 is the annual Linux conference for Washington state and the Pacific NorthWest area. This year, there’s an “Open Source Firmware” track, for the first time.

UEFI Boot for Mere Mortals
Why Open Source is Critical For Platform Firmware
Defending Out-of-Band Management Attacks
Network Boot in a Zero-Trust Environment
Open-Source Host Firmware Directions
The Fight for a Secure Linux BIOS… Past, Present and Future

LFNW logo

First Israeli Conference on Hardware and Side-channel Attacks

We are pleased to invite you to The First Israeli Conference on Hardware and Side-channel Attacks to be held in Barkan Hall, Ben-Gurion University of the Negev, Beer Sheva, from May 5-7, 2019. The conference will bring together researchers from industry and academia, as well as independent hackers. The objective of the conference is to form active research collaborations between Israeli and international researchers in the field of hardware and side-channel attacks, and to bridge the gap between designers, evaluators and attackers of secure systems. In this conference attackers and protectors will have the opportunity to talk about how things fail and how one may aim at protecting our valuables.[…]

BlackHat Asia: Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software

Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software
Alex Matrosov | Offensive Security Lead, NVIDIA

Many hardware vendors are armoring modern Secure Boot by moving Root of Trust to the hardware. While it is definitely the right direction to create more difficulties for the attacker, many layers of code exist between hardware and firmware. Also, hardware vendors are always fighting for boot performance, which creates interesting security issues in actual implementations. In this presentation, I’ll explain new security issues to bypass a specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I’ll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.

353C videos online or streaming soon…

Lots of stuff is happening at CCC…

Lecture: Modchips of the State: Hardware implants in the supply-chain

Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems.

We don’t know how much of the Bloomberg story about hardware implants installed in Supermicro servers shipped to Apple and Amazon is true, nor do we know the story behind the story and the reasons for the vehement denials by all the parties involved.

However, a technical assessment of details of the describe implants reveals that a supply chain attack on the hardware is definitely possible, that the capabilities of the BMC can be used to bypass OS protections, and that there are means to access the BMC that would not necessarily generate readily identified network traffic.

In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems.

35c3 Chaos West : 9 out of 10 x86_64 firmware vendors will hate this talk!

9 out of 10 x86_64 firmware vendors will hate this talk!

We’ll give a short introduction what you might find in your machines firmware and tell the story of two hackers that magically found tens of thousands x86_64 firmware images in their backyard as well as their journey to explore common configuration fuckups, update frequencies and potential security risks.

(Let’s hope the publish this repository of images….)

Seattle-area open source firmware presentation this December

If you’re in the Seattle area and want to see Vincent Zimmer of Intel give a recap of his presentations at the Platform Security Summit and the Open Source Firmware Conference, attend the December DC206 Meeting, the monthly Seattle-area DEF CON user group:

What: December Seattle Locksport and DC206 Meeting
When: Dec 16th (3rd Sundays), 11:00am-~4:00pm
Where: Black Lodge Research
Who: (Vincent, Noah, Zach, Dune, Panic, and the DC206 community)

Open Source IA Firmware
Vincent Zimmer, Intel Corp.

Provide highlights on the open source firmware ecosystem, including
details from the Platform Security Summit[1] and Open Source Firmware


Vincent Zimmer @vincentzimmer is a sr. principal engineer at Intel
Corporation. He leads the UEFI Security Subteam of the UEFI Forum.

Full announcement:

Hackaday SuperCon 2018: Ken Shirriff: Reverse Engineering Integrated Circuits

Supercon is Sold Out, Join Us On the Live Streams and Chat Rooms

HPE iLOv5 Firmware Updates, Local Bypass of Security Restrictions

[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]

ZeroNights 2018: NUClear explotion

Alexander Ermolov and Ruslan Zakirov will deliver their «NUClear explotion» talk. A major and most significant approach to UEFI BIOS security is preventing it from being illegitimately modified and the SPI flash memory from being overwritten. Modern vendors use a wide range of security mechanisms to ensure that (SMM BLE / SMM BWP / PRx / Intel BIOS Guard) and hardware-supported verification technologies (Intel Boot Guard). In other words, they do everything just not to let an attacker to place a rootkit into a system. Even the likelihood of execution in the most privileged mode of a processor – System Management Mode (can be achieved through vulnerable software SMI handlers) – is of no interest to adversaries since it does not guarantee they will be able to gain a foothold in a system. A single reboot and an attack must be started anew. However, there is a thing that can make all BIOS security mechanisms inefficient. And this thing is a vulnerable update mechanism implemented by a vendor. Moreover, quite often a legitimate updater adds lots and lots of critical security holes to a system. In this talk, we will speak about how vendors manage to throw all those security flaws together in one system using Intel NUC, a small home PC, as an example. Besides, we will demonstrate how an adversary can compromise BIOS from the userland.

UEFI workshops at BSidesPDX!

Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:

Detecting Evil Maid Firmware Attacks

UEFI and CHIPSEC development for Security Researchers

PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier: