firmware-security list on Twitter

January 17, 2017 ~ hucktech ~ Leave a comment

Back when this blog was first started, Jacob Torrey created a firmware-security list on Twitter to help. Newer readers of the blog may not be aware of that list. If you’re on Twitter, and have sources of firmware news, please consider using that list. Thanks.

A Twitter List by JacobTorrey

Twitter’s firmware researcher community list

August 15, 2015August 16, 2015 ~ hucktech ~ Leave a comment

I’m new to Twitter, still don’t have an account. A while ago I started looking into the right Twitter feeds to read:

https://firmwaresecurity.com/2015/07/22/firmware-twitter-feeds-v0-3/

but I’ve not updated that list in a while. Luckily for me, Jacob Torrey, one of the firmware researchers on above list the helped me out by creating (and maintaining) an EXCELLENT list of Twitter feeds for firmware research:

https://twitter.com/JacobTorrey/lists/firmware-security/members

I’ve got a lot more OEM/IHV/etc Twitter feeds since 0.3, will be working on a 0.4 release, but I can’t match Jacob’s list. Check it out!

Firmware Security document collection project on Github

June 24, 2015 ~ hucktech ~ Leave a comment

I just noticed a new github project:

https://github.com/robguti/firmware_security_docs

It is a collection of PDFs about firmware security, mostly security conference presentations, gathered up into a single project.

It is unrelated to this blog, I don’t know the person who created the project.

Funny, I recognize about 1/3 of the collected files by their filenames. 🙂

Be sure to virus-check PDFs before you read them, who knows if malware has been added to to these.

Tracking Intel BIOS and UEFI updates

June 16, 2015 ~ hucktech ~ Leave a comment

Here’re two resources that you should be tracking, if you care about firmware security. In addition to OEM-specific sites, these are very useful to track updates in UEFI- and Intel-based systems:

1) TianoCore Security site, advisories, and list:
http://www.tianocore.org/security/
http://tianocore.sourceforge.net/wiki/Security
http://sourceforge.net/projects/edk2/files/Security_Advisory/

The Tianocore Security site has UEFI security vulnerability information impacting most UEFI-based vendors, including non-Intel vendors like ARM. The data is released as PDFs, and announced on their list. Tianocore doesn’t use NIST SCAP CVEs, look for these PDFs instead.

2) Intel Security Center site, and list:
https://security-center.intel.com/default.aspx
https://security-center.intel.com/advisories.aspx

The Intel Security Center site has BIOS/UEFI security vulnerability information impacting Intel-based systems. The data is released as web pages, and announced on their list.

Someone from your IT department should probably be subscribed to these mailing lists, and watch these lists and content for updates that may impact their systems.

LegaCore releases new research

June 12, 2015 ~ hucktech ~ Leave a comment

Yesterday LegbaCore updated their website to include some more research:

“Added the How Many Million BIOSes Would you Like to Infect whitepaper to our Research page. This document contains more discussion than was provided in the conference talks of what could be done by live OSes like Tails or LPS to be more secure against firmware threats.”

More information:
http://www.legbacore.com/Research.html
http://www.legbacore.com/News.html

Joe Grand: Tools of the Hardware Hacking Trade

June 10, 2015June 11, 2015 ~ hucktech ~ Leave a comment

Joe Grand of Grand Idea Studio gave a presentation on “Tools of the Hardware Hacking Trade” a few weeks ago at RSA Conference:

“Embedded systems are pervasive in our society and many contain design flaws that can lead to exploitable vulnerabilities. In this session, Joe Grand examines common hardware tools used during the hacking and reverse engineering of electronic products, including those that monitor/decode digital communications, extract firmware, inject/spoof data, and identify/connect to debug interfaces.”

Joe Grand, a former member of the hacker collective L0pht Heavy Industries, is the founder of Grand Idea Studio, Inc, a company that specializes in the invention and licensing of consumer devices and modules for electronics hobbyists. The presentation is a nice look at current tools available for firmware/hardware hacking, from the security researcher perspective, for those of you who haven’t already created your ‘hardware hacking lab’. 🙂

I don’t know of any better resource lists of this kind, with a security focus. For books, there’s a chapter in Wiley’s “Android Hacker’s Handbook” that is similar. Alas, I didn’t find any audio/video archives, only the presentation. Most other hardware tools documentation I’ve found is mostly Maker-focused, not security focused.

More Information:

http://www.grandideastudio.com

Click to access hta-w04-tools-of-the-hardware-hacking-trade_final.pdf

https://www.rsaconference.com/events/us15/agenda/sessions/1619/tools-of-the-hardware-hacking-trade

Microsoft increases use of Secure Boot as marketing tool

June 7, 2015 ~ hucktech ~ Leave a comment

Earlier this week, Sam Varghese wrote an article in iTWire about Windows 10 and UEFI. According to the article, Window 10 will not enable Secure Boot unless the system has a Windows 8-compliant logo. It appears from the article Microsoft is hesitant to answer further questions from the author.

“System BIOS detected a non-Windows 8 logo graphic card. There is no Graphic Output Protocol support detected in this card. Windows 8 feature settings in BIOS will be changed to disabled.”

This will likely not impact users of new systems, as OEMs will ensure their logos are complaint and pominently displayed.

This appears to imply that users upgrading to Windows 10 from Windows 8 may lose the ability to use Secure Boot, unless they buy a new video card or have a recent one.

It also may mean an attacker can simply swap video cards and bypass SecureBoot; so much for tamper resistance in TPM chips…

It seems very strange for an OS vendor to be enabling or disabling firmware features. It is worse to see security features being disabled in the name of marketing. If Microsoft disables Secure Boot on a system, this may mean that Secure Boot is also disabled for any other OS installed on that system, like Linux, via the Micorosoft-signed Shim. So this Windows marketing technique likely impacts non-Windows system security. I am not sure, maybe their change only impacts their own OS, and other OSes on that system will still continue to Securely Boot.

It is also bad that this vendor is default Certificate Authority representing the UEFI Forum. It is also disconcerting to see Microsoft adding additional restrictions to all UEFI pre-OS applications. The UEFI Forum and Intel is letting Microsoft bully Intel-based Windows OEMs. I was reading some ARM slides recently, sorry I don’t have the URL handy for exact quote, but it said something like “no bully in our playground telling us what to run”. I wish Intel had the ability to stand up to the bully in their playground.

Ironically, Microsoft appears to have just learned to play Apple’s game better. Before Microsoft was playing UEFI-based games with systems, Apple was already using EFI to prevent non-Apple OSes on some of their systems. Since APPL and MSFT are OEMs as well as OS vendors, I expect their own systems would use UEFI as a form of “DRM” to keep their OS on their hardware. But Microsoft is now impacting all Windows OEMs, in addition to their own systems, each release of Windows makes more use of UEFI to restrict what OEMs and users can do and let Microsoft have more control over these systems. Chrome OEMs are looking better and better… 😦

More information:

http://www.itwire.com/opinion-and-analysis/open-sauce/68262-windows-10-no-secure-boot-unless-microsoft-tax-is-paid
https://msdn.microsoft.com/en-us/library/dn917885%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/dn756793%28v=vs.85%29.aspx

LegbaCore releases new firmware research at RSA Conference

May 19, 2015 ~ hucktech ~ Leave a comment

LegbaCore gave a firmware security talk at last month’s RSA Security Conference. The presentation materials and some video, are online.

LegbaCore, along with Invisible Things Lab are IMO the top two firmware security firmws, so when they release substantial new research like this, everyone should pay attention.

(If you attended my LinuxFestNorthWest talk last month on firmware security tools, the advise the LegbaCore covers in this presentation is much more detailed than what I covered.)

This is probably the best advise available to date for enterprises to protect themselves from bootkits. More up-to-date than the NIST SP guidelines or any other best practices that I know of. Everyone involved with protecting enterprise systems needs to study this carefully.

Title: Are You Giving Firmware Attackers a Free Pass?
Synopsis: Yes. Yes you are. Because you’re not patching away the vulnerabilities we and others have found and disclosed, and you’re not inspecting whether anyone has infected your firmware. This talk provides an introduction to firmware threats & capabilities. But because it is longer than previous talks like “Betting BIOS Bugs Won’t Bite Y’er Butt?”, a special emphasis is placed on including actions organizations can take immediately to mitigating firmware vulnerabilities and infections, above and beyond patching.

More Information:

http://www.legbacore.com/Research.html

Firmware security checks and IoT network security

May 11, 2015 ~ hucktech ~ Leave a comment

In Mobile Enterprise, Laurie Lamberth and Steve Brumer have a story on IoT network security. Previous articles on topic have mentioned issues with out-of-date device firmware.

Excerpt:

3. Periodic endpoint integrity checks: With thousands of devices of all different types being connected to the enterprise networks, over different networks with different access control protocols, after the fact as well as real-time access monitoring is a good idea. Periodically checking each device’s security software and policies, firmware, software, and other resources such as anti-virus protection, can root out vulnerabilities before they become problems.

Read the full story:
http://mobileenterprise.edgl.com/news/3-Options-for-Securing-the-IoT-Network-99910

Do you know how to check the firmware on your system?