Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:
Detecting Evil Maid Firmware Attacks
UEFI and CHIPSEC development for Security Researchers
PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
Closing Keynote: Betraying the BIOS: Where are the limits of AV for modern UEFI Firmware?
For UEFI firmware, the barbarians are at the gate — and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants — by HackingTeam and state-sponsored actors alike — hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS? In this presentation, I’ll explain UEFI security from the competing perspectives of attacker and defender. I’ll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.
[…] You can think of Teardown as live-action Crowd Supply, but with fewer cardboard boxes and packing peanuts. We’ll be bringing together hardware aficionados from around the world to celebrate, inspect, create, and, of course, tear down hardware. There will be long-time Crowd Supply creators and backers, as well as people we’re meeting for the first time. There will be hardware, art, food, drink, puzzles, workshops, tutorials, talks, music, field trips, and friends. Most of all, there will be ideas and projects to explore and inspire.[…]
Here’s one interesting presentation for the upcoming OpenIoT and Embedded Linux Conference:
Marrying U-Boot, uEFI and grub2 – Alexander Graf, SUSE
Booting is hard. Booting in the ARM world is even harder. State of the art are a dozen different boot loaders that may or may not deserve that name. Each gets configured differently and each has its own pros and cons. As a distribution this is a nightmare. Configuring each and every one of them complicates code that really should be very simple. To solve the problem, we can just add another layer of abstraction (grub2) on top of another layer of abstraction (uEFI) on top of another layer of abstraction (u-boot). Follow me on a journey on how all those layers can make life easier for the distribution and how much fun uEFI really is. After this talk, you will know how ARM systems boot, what uEFI really means, how uEFI binaries interact with firmware and how this enables convergence of the Enterprise and Embedded markets.
Alexander Graf, KVM Wizard, SUSE
Alexander started working for SUSE about 8 years ago. Since then he worked on fancy things like SUSE Studio, QEMU, KVM and openSUSE on ARM. Whenever something really useful comes to his mind, he tends to implement it. Among others he did Mac OS X virtualization using KVM, nested SVM, KVM on PowerPC and a lot of work in QEMU for openSUSE on ARM. He is the upstream maintainer of KVM for PowerPC, QEMU for PowerPC and QEMU for S390x.
I gave a brief presentation at Security BSides Portland (BsidesPDX) a few days ago. Title was “Firmware Tools for Security Researchers”. Since it was only a 20-minute time slot, I only had time to cover a few tools, and didn’t get a chance to mention other noteworthy tools. Sorry for the delay in uploading, returned from conference to a bit of post-storm damage at home. PDF of slides are here:
I’ve promised an ‘awesome-firmware-security’ set of links for a while, these slides are part of that effort, and will have a draft of this — with many more tools — in about 2 weeks.
I met a few people from the CHIPSEC team at BsidesPDX, which was an honor. I also got a few interesting questions from some smart attendees, and will be doing a few new blog posts on the things I learned at the event.
The date/location for the 2016 Open Hardware Summit has been announced:
October 7, 2016
Here’s their definition of Open Source Hardware:
Drew has a new blog post on why OSH matters:
I wonder why (OSHWA, Linux Foundation, FreeBSD Foundation, Free Software Foundation) isn’t involved with local communities like Hackster, focusing on OSH subset of hardware (and the FSF definition of Free Hardware), and work on crowdfunding of new devices with these projects, perhaps as Open Compute Projects, not just random ‘blinky lights’ artsy ‘open hardware’. Maybe the enterpreneurs that run Hackster should get involved, projects for them, and may be able to help with this cat herding problem with their platform, perhaps in conjunction with CrowdSupply…
Hands-on JTAG for fun and root shells
JTAG may be almost 30 years old with little change, but that doesn’t mean most people really understand what it does and how. This workshop will start with a brief introduction to what JTAG really is, then quickly dive into some hands-on practice with finding, wiring, and finally exploiting a system via JTAG.
For this workshop, we’ll target a Raspberry Pi with an ARM microprocessor. In order to interact with the system, we’ll use a JTAG interface cable from FTDI. We won’t do any hardware modifications, but we will hook up wires in weird and wonderful ways to make the Raspberry Pi do things it otherwise shouldn’t.
Jtagsploitation: JTAG to Root, 5 Ways
JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always ‘game over’ but it’s not always clear how to turn that hardware access into privileged software access on the system.
This talk will enumerate a number of different ways to turn a ‘check’ for jtag access into the ‘checkmate’ of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.
Scared Poopless – LTE and *your* laptop
With today’s advancement in connectivity and internet access using 3G and LTE modems it seems we all can have a device that’s always internet capable, including our laptops, tablets, 2 in 1’s ultrabook. It becomes easier to be online without using your WiFi at all. In our talk we will demonstrate and discuss the exploitation of an internal LTE modem from Huawei which can be found in a number of devices including laptops by HP.
NSA Playset: Bridging the Airgap without Radios
The NSA ANT catalog contains a number of hardware implants that enable communication, command and control, and data exfiltration over alternate channels that would not typically be monitored. The listed tools fall short when it comes to exfiltrating data from particularly secure or heavily monitored, or radio hostile locations.
This talk introduces a new addition to the NSA Playset. BLINKERCOUGH is inspired by some of the capabilities described in the ANT catalog and expands upon the features of CHUCKWAGON in a number of ways. BLINKERCOUGH is implanted inside an unremarkable cable and communicates optically to jump air gaps, escape faraday cages, and communicate out-of-band with zero radio footprint. This talk will outline the development of the hardware, present several use cases, and demonstrate its use to escape a faraday cage.