Twitter, and Hacking Team

This blog isn’t attempting to cover ALL firmware news issues. I presume you’re reading about elsewhere, and don’t need this blog to tell you about. Especially stories that make it ‘mainstream’, like the recent Apple EFI vulnerability, or the recent Hacking Team’s use of UEFI in their malware.

In general, I go online and try to see what is new with firmware news only once a day, and miss some days. I don’t use Twitter as much as many, so I’m naturally behind-the-times of fresh news. To track UEFI issues with Twitter, here are a few URLs to start with:

https://twitter.com/legbacore/
https://twitter.com/intel_uefi

For example the Hacking Team’s use of UEFI. Twitter is a good place for this kind of news:

And a few security researchers are starting to dig deeper with research about the malware, such as:
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

Apple EFI vulnerabilities: CVE-2015-3693 and CVE-2015-3692

From the security-announce@lists.apple.com announce list, Apple has an EFI update for multiple systems, available from the App Store. Two CVEs are listed:

APPLE-SA-2015-06-30-3 Mac EFI Security Update 2015-001

Mac EFI Security Update 2015-001 is now available and addresses the following:

EFI
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  A malicious application with root privileges may be able to modify EFI flash memory
Description:  An insufficient locking issue existed with EFI flash when resuming from sleep states. This issue was addressed through improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah and Corey Kallenberg of LegbaCore LLC, Pedro Vilaca

EFI
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  A malicious application may induce memory corruption to escalate privileges
Description:  A disturbance error, also known as Rowhammer, exists with some DDR3 RAM that could have led to memory corruption. This issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working from original research by Yoongu Kim et al (2014)

More Information:
https://support.apple.com/en-us/HT204934
https://lists.apple.com/mailman/options/security-announce/

LegaCore releases new research

Yesterday LegbaCore updated their website to include some more research:

“Added the How Many Million BIOSes Would you Like to Infect whitepaper to our Research page. This document contains more discussion than was provided in the conference talks of what could be done by live OSes like Tails or LPS to be more secure against firmware threats.”

More information:
http://www.legbacore.com/Research.html
http://www.legbacore.com/News.html

LegbaCore Summer Tour announced

LegbaCore, one of the main BIOS security research firms around, has updated their web site to include calendar information about their upcoming presentations and training for the Summer and early Fall.

They will be at HITB Singaport giving BIOS training in October. They’ll be speaking at BlackHat/DEFCON on Mac firmware attacks. They’ll be giving “Understanding x86-64 Assembly for Reverse Engineering and Exploits” training at BlackHat USA. They’ll be talking at SummerCon, entitled “How Many Million BIOSes Would You Like to Infect?”. “This talk will detail the result of our 1 month effort to infect the BIOS of every business class system we could get our hands on.”

They’ve also updated their Training resources. They now have *SIX* full days of BIOS/UEFI training!

More Information:

http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://www.blackhat.com/us-15/training/understanding-x86-64-assembly-for-reverse-engineering-and-exploits.html
http://www.legbacore.com/News.html

http://www.legbacore.com/Training.html
http://www.summercon.org/presentations.html#bioses

MITRE Copernicus

So far, in this new blog, I’ve been mostly focusing on open source tools and open source operating systems, so I’ve not focused on MITRE’s Windows-centric non-open source tool, Copernicus[1]. But the tool is extremely powerful, and deserves more attention.

“Copernicus is the first tool to provide BIOS configuration management and integrity checking capabilities throughout an enterprise. The tool is implemented as a kernel driver that creates a file containing the BIOS dump and a file containing the raw configuration information. When deployed in enterprise environments, scripts can send the raw BIOS dump and configuration information to a server for post-processing. This processing can indicate whether a given BIOS differs from an expected baseline, and it can also indicate whether the BIOS or the computer’s System Management RAM (where some code loaded by BIOS continues running after boot).”

An excerpt from a G+ post in 2013 from Dragos Ruiu on Copernicus:

“IMHO Copernicus BIOS verification tool, is one of the most important new security tools in recent history. We’ve already found some persistent BIOS malware that survives re-flashing with it.”

I wish it were available for Linux, not just for Windows, so I could use it! And I wish it were open source (alas, all security tools are not): trusting any native kernel driver on your system, or especially to deploy to all systems in you enterprise, whether it is natively installed or from another boot media, has issues. I hope licensees from MITRE have the option to review the code and compile it themselves.

[Intel’s CHIPSEC also has some similar features. When run as an OS-present tool — instead of a live-boot or UEFI Shell booted — CHIPSEC also includes a native driver on Windows, and on Linux. With CHIPSEC, the kernel driver sources are provided.]

If you have Windows-based enterprise, you should investigate out Copernicus.

Windows-centric code aside, Copernicus distribution includes bios_diff.py, which works on Linux. This is a wonderful tool[2].

Even if you don’t care about Windows, you should study the Copernicus research, is it amazing.

Two of the creators of Copernicus have left MITRE and have started LegbaCore. Their last talk on using Copernicus at RSA conference last month[3] was excellent, talking about using Copernicus usage in enterprises.

More Information:

[1]http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
http://www.mitre.org/publications/technical-papers/copernicus-2-senter-the-dragon
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/playing-hide-and-seek-with-bios-implants
http://www.mitre.org/research/technology-transfer/technology-licensing/copernicus
[2]https://firmwaresecurity.com/2015/05/21/tool-mini-review-bios_diff-py/
[3]https://firmwaresecurity.com/2015/05/19/legbacore-releases-new-firmware-research-at-rsa-conference/

LegbaCore releases new firmware research at RSA Conference

LegbaCore gave a firmware security talk at last month’s RSA Security Conference. The presentation materials and some video, are online.

LegbaCore, along with Invisible Things Lab are IMO the top two firmware security firmws, so when they release substantial new research like this, everyone should pay attention.

(If you attended my LinuxFestNorthWest talk last month on firmware security tools, the advise the LegbaCore covers in this presentation is much more detailed than what I covered.)

This is probably the best advise available to date for enterprises to protect themselves from bootkits. More up-to-date than the NIST SP guidelines or any other best practices that I know of. Everyone involved with protecting enterprise systems needs to study this carefully.

Title: Are You Giving Firmware Attackers a Free Pass?
Synopsis: Yes. Yes you are. Because you’re not patching away the vulnerabilities we and others have found and disclosed, and you’re not inspecting whether anyone has infected your firmware. This talk provides an introduction to firmware threats & capabilities. But because it is longer than previous talks like “Betting BIOS Bugs Won’t Bite Y’er Butt?”, a special emphasis is placed on including actions organizations can take immediately to mitigating firmware vulnerabilities and infections, above and beyond patching.

More Information:

http://www.legbacore.com/Research.html