Intel Security launches Threat Landscape Dashboard

Big changes at Intel Security…

There are some changes at Intel Security, Texas Pacific Group (TPG), a private equity firm, has acquired them.

Their web site has been replaced with a single article:

September 7, 2016

Intel Security Stakeholders,

Today, Intel and TPG made an exciting announcement that I want to share with you directly.  We unveiled a strategic partnership with the goal of creating one of the largest independent, pure-play cybersecurity companies in the industry. To enable this partnership, we are creating a new corporate entity, to be named McAfee, of which Intel will continue to own 49% and TPG, a leading global alternative asset firm with substantial experience investing in best-in-class technology companies, will own 51%. We will have access to significant financial, operational, and technology resources, enabling us to realize our full potential as a standalone business.[…]

I think the CHIPSEC team works under Intel Security. I wonder where they work today?

Intel Security white paper on hardware/firmware threat predictions

McAfee Labs
2016 Threats Predictions
Intel Security: A five-year look ahead

Twenty-one thought leaders from Intel Security collaborated to produce this look ahead at how the cybersecurity marketplace and actors are likely to evolve. […]

There are two sections in the document that focus on hardware/fimware security, search for the “Security on Silicon” and “Hardware” sections. A few brief experts:

We currently see only miniscule amounts of malware that target hardware or firmware vulnerabilities, but that is going to change during the next five years. We expect to see many groups leveraging newly discovered techniques, sharing what they know as they try to build effective attacks. Much of this will trickle down, from advanced nation-state intelligence and defense agencies, through big organized crime syndicates, and into broader use. Hardware and firmware protections such as secure boot, trusted execution environments, tamper protection, cryptographic acceleration, active memory protection, and immutable device identity make it more difficult for these attacks to gain a foothold, as well as easier to detect and correct them.

System firmware-based attacks pose a critical risk when coupled with the cloud or with cloud service providers. In 2015, the Intel ATR team demonstrated how to gain access to adjacent virtual machines through multiple vectors, including firmware rootkits or simple misconfigurations. Threats similar to the S3 Boot Script attack can be adapted for in-the-wild attacks. In many cases, it is just a matter of exploiting simple misconfigurations in UEFI or BIOS.

Going forward, we must be hyperaware of the system components below the operation system and how those components can be exploited or leveraged for attack. Available controls for under the operating system attacks include tools like CHIPSEC, and technologies like Intel’s Kernel Guard Technology (iKGT) and Intel BIOS Guard.

I wish that last paragraph mentioned ITL’s Stateless Laptop as one of the solutions.

Hmm, Why are there only BIOS and UEFI attacks mentioned? Where are the coreboot and U-Boot attacks? Are all listed firmware attacks against legacy BIOS systems and UEFI systems, not coreboot or U-Boot attacks? Intel spends resources on both UEFI as well as coreboot, so it seems strange to only see UEFI mentioned in their security. U-Boot also supports Intel these days, apparently without Intel’s involvement. So I’d hope to see a bit of coverage of both coreboot and prehaps a bit of U-Boot.

Is this because firmware attacks are being focused on Windows systems, not Chrome systems, due to marketshare numbers or expertise of attackers/researchers? I recall seeing some news recently claiming that Chrome PCs now outnumber Windows PCs.

Maybe because CHIPSEC only only targets Intel x86/x64 BIOS/UEFI systems, not coreboot/U-Boot systems, or ChromeOS systems, or ARM/AMD/MIPS/Itanium/other architectures, and if CHIPSEC is the only modern firmware vulnerability analysis tool, then lack of tools keeps these other systems’ security profiles dark? Why is AMD not porting CHIPSEC to AMD64, as well as the other handful of x86-compatible vendors?

Why is ARM not porting CHIPSEC to AArch32, only AArch64, and what is status of port, it was mentioned months ago but no status on final port. Once CHIPSEC’s C/asm/Perl userland and C/asm kernel HAL are ported to new arch, and Intel-centric stuff is ifdef’ed out, CHIPSEC still needs new chip-centric security tests added, and I don’t see anyone from ARM/Linaro doing this, so their port will be a gutted empty CHISPEC, not useful without new tests. Where is the ARM report mentioning the lack of CHIPSEC is a huge issue to enterprises ability to protect ARM systems?

Maybe ChromeOS + coreboot’s Verified Boot results in more secure systems than UEFI? Windows systems are UEFI and optional closed-source IBV-based BIOS, if Legacy Mode present. Chrome systems are coreboot and open-source SeaBIOS-based BIOS.

I’m glad Intel provides this kind of white papers. I wish AMD and ARM and other architecture vendors would also offer similar reports. I really wish there was some research on this from a neutral vendor, not a not a chip vendor, so we could see balanced coverage of Intel, AMD, ARM, OpenPOWER, and other systems, and their firmware, covered, including peripheral security (PCIe, NVMe, Thunderbolt, USB, etc. Doesn’t NIST have a hardware/firmware group? I wish they generated a HW/FW periodic security report. It could have the perspective to scope discussion to include trusting closed-source blobs, resident -vs- nonresident firmware solutions and their attack vectors, comparison’s of silicon and firmware (eg, Verified -vs- Secure boot) solutions, and most importantly not just solutions from a single vendor.

Breaking Bad BIOS at Intel Security’s FOCUS conference

Intel Security has their annual FOCUS conference, in Las Vegas in a few weeks.

I may have missed others, but there is at least ONE interesting presentation at this event:

Breaking Bad BIOS — The Art of BIOS Attacks
Oleksandr Bazhaniuk, Security Researcher, Intel Security

Recent attacks against Basic Input/Output Systems (BIOSs) attracted attention due to their ability to enable stealthy and highly persistent malware capable of compromising software applications, operating systems, and hypervisors. Some can bypass secure OS boots, enable attacks on encrypted disks, and even allow additional malware installs.
 * Understand current BIOS attacks and attack surfaces
 * Understand platform level tools and mitigations
 * Observe an actual attack demo

Intel ATR on firmware security threats

Jim Walter, Director of Advanced Threat Research for Intel Security, with contributions from Yuriy Bulygin and John Loucaides, wrote a blog for Dark Reading that summarizes some recent firmware attacks.

Vulnerable From Below: Attacking Hypervisors Using Firmware And Hardware
Malicious attacks with firmware privileges can compromise an entire system, so it is especially important to apply measures to reduce the risks.

Read the full article here:




In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:

ThunderStrike 2: Sith Strike

Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC

The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.


Attacking Hypervisors Using Firmware and Hardware

Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.

More Information: