LTE modem exploitation gives attackers online access

August 9, 2015 ~ hucktech ~ Leave a comment

Yesterday at DEF CON 23 this talk happened:

Scared Poopless – LTE and *your* laptop
Mickey Shkatov, Jesse Michael
“With today’s advancement in connectivity and internet access using 3G and LTE modems it seems we all can have a device that’s always internet capable, including our laptops, tablets, 2 in 1’s ultrabook. It becomes easier to be online without using your WiFi at all. In our talk we will demonstrate and discuss the exploitation of an internal LTE modem from Huawei which can be found in a number of devices including laptops by HP.”

The slides are now available:

Scared poopless- LTE & your laptop: @laplinker of Intel ATR & @jessemichael will talk on LTE exploits at @_defcon_ :http://t.co/h0lM4Q27Zy

— Yuriy Bulygin (@c7zero) June 12, 2015

Click to access Intel_DC23_SPLTE.pdf

http://www.intelsecurity.com/advanced-threat-research/index.html

Intel ATR research on CERT VU 976132

July 30, 2015 ~ hucktech ~ Leave a comment

Earlier today I posted on US-CERT’s recent vulnerability note for multiple UEFI vulnerabilties:

US CERT BIOS Vulnerability Note VU#577140!

Later today, Intel has released new research about this:

While much has been discussed, we've released Technical Details of the S3 Boot Script Vulnerability whitepaper http://t.co/16GF5vMUb5 [pdf]

— Yuriy Bulygin (@c7zero) July 30, 2015

Technical Details of the S3 Resume Boot Script Vulnerability

“This paper describes technical details of a vulnerability (VU #976132 / CVE-2014-8274) in the protection of EFI based system firmware and platform configuration when resuming from the S3 sleep state. The issue was independently discovered and presented at 31C3 in December 2014. After discovering this issue, the Advanced Threat Research team has been working to notify BIOS developers and ensure that mitigations are created. We are releasing a test module for the open source CHIPSEC platform security assessment framework. This will assist users in identifying whether their platforms might be affected by this issue.“

Read the full report here:

Click to access WP_Intel_ATR_S3_ResBS_Vuln.pdf

Note the part about a new CHIPSEC test, to test for this vulnerability, so watch the CHIPSEC Github for an update. I don’t see an update as of yet.

OEMS: please watch the security talk from Phoenix from the last UEFI Forum plugfest, especially the advise to run CHIPSEC before you ship any new systems. Please ensure your QA team uses fresh CHIPSEC builds.

Consumer Reports and other PC reviewers: Please add the CHIPSEC pass/fail data for any new systems. OEMs will improve their internal QA once they realize that the first thing the public reviewers will be calling out the OEMs on known-bad products.

More information:

US CERT BIOS Vulnerability Note VU#577140!

Click to access WP_Intel_ATR_S3_ResBS_Vuln.pdf

DEF CON 23

July 28, 2015 ~ hucktech ~ Leave a comment

In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:

ThunderStrike 2: Sith Strike

Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC

The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.

and:

Attacking Hypervisors Using Firmware and Hardware

Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of SecuringHardware.com) has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.

More Information:
https://www.defcon.org/html/defcon-23/dc-23-schedule.html

Tweets by _defcon_

https://plus.google.com/+DefconOrgplus/posts
https://www.defcon.org/html/links/dc-goons.html

CHIPSEC mailing list created

July 22, 2015 ~ hucktech ~ Leave a comment

The CHIPSEC team at Intel Advanced Threat Research (ATR) have setup a mailing list for public discussions on CHIPSEC!

Formerly, there was no list, and the only way to talk about CHIPSEC was to email chipsec@intel.com. Now we have a place for security researchers to talk about using CHIPSEC, and open source developers to talk about contributing patches to CHIPSEC.

https://lists.01.org/mailman/listinfo/chipsec

Intel ATR posts RECon and CSW presentations

July 21, 2015 ~ hucktech ~ Leave a comment

Yesterday, Intel Advanced Threat Research (ATR) released presentations of two recent talks they’ve given on BIOS/SMM/UEFI security.

1) Attacking and Defending BIOS in 2015
Advanced Threat Research, Intel Security
RECon 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using “S3 resume boot script” vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We’ll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail “SMI input pointer” and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues

http://www.intelsecurity.com/advanced-threat-research/content/AttackingAndDefendingBIOS-RECon2015.pdf

2) A New Class of Vulnerabilities in SMI Handlers
Advanced Threat Research, Intel Security
CanSecWest 2015

This presentation will discuss security of SMI handler components of system firmware including the nature of a new class of vulnerabilities within the SMI handlers of BIOS/UEFI based firmware on various systems. It will also discuss how systems can be tested for these vulnerabilities and what can be done in firmware implementations to mitigate them. Additionally, the presentation will also discuss how S3 resume affects security of the system and problems with S3 resume boot script in some BIOS implementations recently discovered and presented at 31C3.

http://www.intelsecurity.com/advanced-threat-research/content/ANewClassOfVulnInSMIHandlers_csw2015.pdf

More Information:
http://www.intelsecurity.com/advanced-threat-research/index.html
and
http://c7zero.info/home.html#research

Intel analysis of Hacking Team UEFI malware

July 15, 2015February 16, 2017 ~ hucktech ~ Leave a comment

[[
UPDATE: IntelSecurity.com web site has changed, the ATR blog URL is broken. Updated URL:
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html
]]

A quick follow-up to the Hacking Team UEFI malware story. There’s been a lot of mainstream coverage on this news. I just found out about this blog entry by the Intel Advanced Threat Research (ATR) team:

http://www.intelsecurity.com/advanced-threat-research/blog.html

It’s analysis of the malware is excellent, and worth reading. Unlike other news stories on Hacking Team, this blog shows you how to check if your system is infected. They used CHIPSEC[1] and UEFItool[2] to analyse this malware, two excellent tools for UEFI forensic analysis. Study this Intel blog post for a very topical example of how to use CHIPSEC to protect your system from bootkits.

[1] https://firmwaresecurity.com/2015/06/10/chipsec-v1-2-0-released/
https://github.com/chipsec/chipsec
[2] https://firmwaresecurity.com/2015/05/25/tool-mini-review-uefitool/
https://github.com/LongSoft/UEFITool

Hacking Tool should remind people that they don’t have a clue what modules are burned into their firmware. Many firmware solutions target enterprise sales, so they’re happy to have phone-home style technology in their systems, to track their assets. Malware authors can take advantage of these remote control features, like Hacking Team is doing. Windows OEMs generally screw up Windows with various bloatware; unlike with OS software, you cannot undo firmware bloatware, the OEM won’t permit you to rebuilt the firmware image (unless you have a Tunnel Mountain or MinnowBoard), and the OEM doesn’t provide standalone UEFI drivers/services so that you could rebuilt your firmware from coreboot.org and/or tianocore.org plus the delta of blobs (OEM/IHV drivers). Then, we could focus on reliability of the open source codebase and the handful of closed-source firmware drivers, instead of relying on the IBV/OEM to give us black-box fimware updates when they feel like it. OEMs: give us better firmware options!