Friday, September 14, 2018

50% of firmware certs are expired?

So, anyway, I grabbed a bunch of firmware blobs (there were 99, to be precise) that I happened to have on this laptop, in order to look for more rootkit-like thingies, but I found some other bits that I found even more thought provoking, and I got sidetracked. I do have A.D.D. Oh look! A squirrel... (That's a joke, btw)

The first TPT (thought provoking thing) was that 38 of the 99 had certificates in them that said either "Do not trust - xxx Test PK", or "DO NOT TRUST - Lost Certificate", or "DO NOT SHIP - some_company Test KEK". That's about a third, and feels rather high.

It may be that the uploads that we are getting are not completely representative of what the Real World looks like. They might be coming out of test labs or something like that, which is plausible, because you have to be a bit of a geek to extract firmware. The other, and scarier, option here is that it _is_ representative of the Real World, and one in three computers has a "Do not trust" certificate in it. I hope that is not true.

The second TPT was that my program counted a total of 1,377 certificates, and fully 631 of them were expired. That's nearly 50%, and again, seems rather high.

Again, it might be that we are getting non-Real World firmwares being uploaded, but the other option here is that people are not updating their firmware, which seems likely to me.

The third TPT was that 24 of the blobs had a release date of 2018, and still had 42 expired certs in them. That seems weird.

The fourth TPT was that 5 of the 24 blobs from 2018 had a "Do not trust" cert in them. That seems way weird.

I can think of no reasonable explanation for number three and number four, unless they are coming out of labs, but I suspect that the real explanation is that manufacturers are simply not paying attention because no one is calling them out.

It's also a bit of worry that nothing in the firmware chain of trust seems to care about the dodgy certs. This implies, to me, that they could be replaced by out and out APT-level malware, and nothing and no one would notice.

The plot thickens.

The main thing we need is more samples, so if anyone wants to help, instructions about how to dump your firmware are here.

Stay tuned.

No comments: