Wednesday, October 23, 2019

Check your firmware, folks.

So, anyway, a few days ago, I noticed a tweet about a Dell Optiplex 7070 bios upgrade that announced an enhancement of "Added BiosConnect feature which enables connection to Dell.com without an operating system. This feature also enables downloading a recovery image from the cloud through wired or wireless connection."

I thought that sounded interesting, so I decided to take a look, and sure enough, I quickly found the BiosConnect stuff, but then I found that Computrace had also been added.

Now, Computrace is a good, and helpful program, and if your computer is ever lost, or stolen, you'll be glad you have it, and the ability to download a recovery image to a computer with a broken OS is also useful, but ... one of the truths about computer security is that functionality and security tend to exist in an inverse relationship. In other words, the more functional, or powerful, you make something the less secure it tends to be, and we may be confident that the Bad Guys (tm) will always try to take advantage of such features.

Not only that, but some organizations don't want that sort of functionality in their computers... just in case.

The other interesting thing here is that the previous version of this firmware was 8mb long, and had about 320 exes in it, and the new version is 16mb, and has about 575 exes, so one wonders what other functionality has been added. We're still looking at that.

Again, I'm not saying that Dell or Computrace did anything bad. They just added a lot of functionality.

One of the big problems with firmware security is that most people don't flash their firmware because, (1) they don't know that there's a new version available (unlike monthly OS patches which is a well understood, albeit sometimes problematic, mechanism), and (2) they don't know how to flash their firmware. As an example of that, about every two weeks, we get a fresh upload of the supposedly extinct-since-2016 so-called Lenovo rootkit.

Obviously, you have to patch your firmware, because there will be bugs and vulnerabilities that need fixing, but this shows that you also need to examine what new things are coming in.

We have been conducting audits of "before and after" firmware for some of our customers, and it is proving instructive.

More to follow.

Stay tuned.

Thursday, August 15, 2019

Uh... why does firmware need to send EHLO?

So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.

It also _seems_ to have the capability of starting a TLS connection.

Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.

Also, it is not yet clear if communications are hidden from the OS, but they could easily be.

The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.

Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.

Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.

Watch this space.

Wednesday, July 31, 2019

Uh ... secure boot might be trying to tell you something.

So, anyway, today this popped up on my google alerts...

Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.

The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)

The danger here is that malware is increasingly targeting firmware.

And, I might be wrong, but I don't think that using a system restore point will restore firmware.

If you do see such a message, you are better off to seek very professional help.

Just sayin'

Wednesday, July 3, 2019

Ok, that's kind of creepy, FaceBook

So, anyway, for some reason today, pictures on FaceBook are not rendering. In the overall scheme of things, this is neither here, nor there, and I'm sure it will soon be corrected.

But...

In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"



It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.

That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.

One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.

Sigh. Privacy Revolution again, folks.

Thursday, June 6, 2019

Firmware dumper

Hi all,

We've made our Win10x64 firmware dumper available for download here, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.

Saturday, January 26, 2019

Privacy revolution again

So, anyway, I won’t mention Sandra’s name, but a friend of mine, who used to be a security geek, but is now a goat farmer, pinged me with a scary story yesterday.

She got a robo call from PayPal, advertising something, which might be a bit annoying, but that’s not scary.

As you generally do, with an unrecognized number, she let it go to voice mail, and the message asked her to call back a different number. Nothing entirely amazing there.

But here’s the scary bit. The spoofed number pretended to be from a really small town in PA, that she had only ever been to once before... and that was _earlier that day_

Amazing coincidence, right?

Problem is, those of us in the security biz don’t tend to like coincidences, so the alternative is that something was tracking her.

She checked her settings for PayPal, but it showed that it only tracked her while using the app, and as far as she knew, she was not using the app.

So now we are left to wonder ... is something else selling its tracking data?

At this point, we simply don’t know, but there are certainly lots of apps (it is an iPhone) that are capable of tracking you all the time.

It’s either an amazing coincidence, or the Privacy Revolution in action.

Wednesday, November 28, 2018

ASUS UEFI rootkit

Hi folks,

Late October, I noticed this article

The nub of the article is that the authors noticed that the ASUS z390 motherboard was able to access the Internet, without any Windows 10 network drivers, and was able to install extra software.

This is remarkably similar behavior to the Lenovo rootkit, from 2015.

Now, let me stress, that in neither case, do I think they were of malicious intent. They were clearly designed to allow the vendor to install updates as needed, but the problem is that, just like with the Lenovo rootkit, no one would have known it was there, if it hadn't tipped its hand, by doing something obvious, and the obvious question is now, "What _else_ is out there?"

We have now found five variants of the ASUS UEFI updater/rootkit software, none of which seem to be detected by anyone. Oh, and seven variants of the (hopefully extinct) Lenovo rootkit from 2015.

Analysis continues.

Stay tuned.

P.S. If anyone wants to help, I blogged about how to dump firmware here.