Wednesday, August 1, 2018

What's in your firmware, and why should you care?

Hi folks, Today, we have officially launched our new site, and product, armor.ai. This is a place where you can upload a firmware image, and get a report on what's in it.

For example, in my 2017 laptop, I have about 380 Windows PE format executables. This is what's known as the Unified Extensible Firmware Interface, or UEFI, for short. The idea is that this mechanism provides a much more flexible way for manufacturers to add new hardware, rather having to modify handwritten assembler, as with a traditional BIOS. This is Good Thing (tm), but they are compiled C code, and this, in turn, is a format well understood by attackers, and defenders, alike.

Fortunately, these programs are cryptographically signed, and are therefore immune to attack... unless...

(1) You can compromise the Root Of Trust. This is the first part of the chain, and is responsible for checking the crypto sig of everything else. This is really hard, and we don't _think_ anyone has done it yet, but we may be sure they are trying, or,

(2) A stolen certificate might be used to sign malicious code, or,

(3) Something malicious might be installed at the factory. It'd never happen, right? Except it already has, at least once, but that's another story.

Extracting a firmware image is mostly complicated, and is not an end-user play, but if you are a geek, and want to know what's in your firmware, there are a couple of ways to get the image.

On a Mac, running High Sierra, you can simply open a terminal, and type "sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --save -b out.bin", and then upload it to armor.ai.

Any machine running Windows 8 or higher, should be using UEFI, and, for Intel based machines, the best approach at this point, is to use Chipsec, and open source tool found here. This requires reading their manual, but is easy enough once you get the idea.

We will make easier mechanisms available as we build them.

Folks, this is tricky stuff, but we need to pay more attention to it, because anything running in the firmware has complete control over the rest of the computer, and probably cannot be seen by anything running at the operating system level. Anything in the firmware is potentially a rootkit.

As well as your own, or your business, computer, think about critical infrastructure devices, medical devices, automobiles, and all IoT devices. They all have firmware, and no one really knows what's in it.

We need to find out.