So, anyway, recently our colleagues at Eset published a paper that showed that a number of manufacturers had firmware modules with the word "AsusBackDoor" as part of the filename.
Armed with that very helpful name, we found some samples pretty quickly, and while the name was a bit alarming, it seems to be a legitimate function for resetting lost firmware passwords, so all is fine and well.
This, however, lead us to wonder how many other modules might exist, with similar functionality, but without the helpful name portion, and guess what? There are quite a few. We seem to have identified at least five manufacturers with similar modules.
Again, they are probably all legit, but it does make one wonder.
We did find one sample with the word "infected" in it, but that _seems_ to be an experiment, from someone who is maybe a hobbyist.
The marines (I think) came up the idea of getting Left Of Bang. ("Bang" roughly refers to some incident such as an IED exploding.Right of Bang refers to responding after the event. Left of Bang refers to preventing the Bang in the first place, which is clearly the desired action)
All corporates, government bodies, and utilities, need to start auditing their firmware, before the Bang.
If you would like some help, please let us know. You can contact us at roger AT armor.ai
Security and functionality have always existed in an inverse relationship, and modern firmware (UEFI) is immensely functional.
We will continue to look for similar backdoor functionality. Stay tuned.
Tuesday, December 17, 2019
Wednesday, October 23, 2019
Check your firmware, folks.
So, anyway, a few days ago, I noticed a tweet about a Dell Optiplex 7070 bios upgrade that announced an enhancement of "Added BiosConnect feature which enables connection to Dell.com without an operating system. This feature also enables downloading a recovery image from the cloud through wired or wireless connection."
I thought that sounded interesting, so I decided to take a look, and sure enough, I quickly found the BiosConnect stuff, but then I found that Computrace had also been added.
Now, Computrace is a good, and helpful program, and if your computer is ever lost, or stolen, you'll be glad you have it, and the ability to download a recovery image to a computer with a broken OS is also useful, but ... one of the truths about computer security is that functionality and security tend to exist in an inverse relationship. In other words, the more functional, or powerful, you make something the less secure it tends to be, and we may be confident that the Bad Guys (tm) will always try to take advantage of such features.
Not only that, but some organizations don't want that sort of functionality in their computers... just in case.
The other interesting thing here is that the previous version of this firmware was 8mb long, and had about 320 exes in it, and the new version is 16mb, and has about 575 exes, so one wonders what other functionality has been added. We're still looking at that.
Again, I'm not saying that Dell or Computrace did anything bad. They just added a lot of functionality.
One of the big problems with firmware security is that most people don't flash their firmware because, (1) they don't know that there's a new version available (unlike monthly OS patches which is a well understood, albeit sometimes problematic, mechanism), and (2) they don't know how to flash their firmware. As an example of that, about every two weeks, we get a fresh upload of the supposedly extinct-since-2016 so-called Lenovo rootkit.
Obviously, you have to patch your firmware, because there will be bugs and vulnerabilities that need fixing, but this shows that you also need to examine what new things are coming in.
We have been conducting audits of "before and after" firmware for some of our customers, and it is proving instructive.
More to follow.
Stay tuned.
I thought that sounded interesting, so I decided to take a look, and sure enough, I quickly found the BiosConnect stuff, but then I found that Computrace had also been added.
Now, Computrace is a good, and helpful program, and if your computer is ever lost, or stolen, you'll be glad you have it, and the ability to download a recovery image to a computer with a broken OS is also useful, but ... one of the truths about computer security is that functionality and security tend to exist in an inverse relationship. In other words, the more functional, or powerful, you make something the less secure it tends to be, and we may be confident that the Bad Guys (tm) will always try to take advantage of such features.
Not only that, but some organizations don't want that sort of functionality in their computers... just in case.
The other interesting thing here is that the previous version of this firmware was 8mb long, and had about 320 exes in it, and the new version is 16mb, and has about 575 exes, so one wonders what other functionality has been added. We're still looking at that.
Again, I'm not saying that Dell or Computrace did anything bad. They just added a lot of functionality.
One of the big problems with firmware security is that most people don't flash their firmware because, (1) they don't know that there's a new version available (unlike monthly OS patches which is a well understood, albeit sometimes problematic, mechanism), and (2) they don't know how to flash their firmware. As an example of that, about every two weeks, we get a fresh upload of the supposedly extinct-since-2016 so-called Lenovo rootkit.
Obviously, you have to patch your firmware, because there will be bugs and vulnerabilities that need fixing, but this shows that you also need to examine what new things are coming in.
We have been conducting audits of "before and after" firmware for some of our customers, and it is proving instructive.
More to follow.
Stay tuned.
Thursday, August 15, 2019
Uh... why does firmware need to send EHLO?
So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.
It also _seems_ to have the capability of starting a TLS connection.
Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.
Also, it is not yet clear if communications are hidden from the OS, but they could easily be.
The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.
Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.
Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.
Watch this space.
It also _seems_ to have the capability of starting a TLS connection.
Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.
Also, it is not yet clear if communications are hidden from the OS, but they could easily be.
The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.
Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.
Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.
Watch this space.
Wednesday, July 31, 2019
Uh ... secure boot might be trying to tell you something.
So, anyway, today this popped up on my google alerts...
Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.
The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)
The danger here is that malware is increasingly targeting firmware.
And, I might be wrong, but I don't think that using a system restore point will restore firmware.
If you do see such a message, you are better off to seek very professional help.
Just sayin'
Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.
The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)
The danger here is that malware is increasingly targeting firmware.
And, I might be wrong, but I don't think that using a system restore point will restore firmware.
If you do see such a message, you are better off to seek very professional help.
Just sayin'
Wednesday, July 3, 2019
Ok, that's kind of creepy, FaceBook
So, anyway, for some reason today, pictures on FaceBook are not rendering. In the overall scheme of things, this is neither here, nor there, and I'm sure it will soon be corrected.
But...
In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"
It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.
That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.
One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.
Sigh. Privacy Revolution again, folks.
But...
In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"
It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.
That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.
One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.
Sigh. Privacy Revolution again, folks.
Thursday, June 6, 2019
Firmware dumper
Hi all,
We've made our Win10x64 firmware dumper available for download here, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.
We've made our Win10x64 firmware dumper available for download here, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.
Saturday, January 26, 2019
Privacy revolution again
So, anyway, I won’t mention Sandra’s name, but a friend of mine, who used to be a security geek, but is now a goat farmer, pinged me with a scary story yesterday.
She got a robo call from PayPal, advertising something, which might be a bit annoying, but that’s not scary.
As you generally do, with an unrecognized number, she let it go to voice mail, and the message asked her to call back a different number. Nothing entirely amazing there.
But here’s the scary bit. The spoofed number pretended to be from a really small town in PA, that she had only ever been to once before... and that was _earlier that day_
Amazing coincidence, right?
Problem is, those of us in the security biz don’t tend to like coincidences, so the alternative is that something was tracking her.
She checked her settings for PayPal, but it showed that it only tracked her while using the app, and as far as she knew, she was not using the app.
So now we are left to wonder ... is something else selling its tracking data?
At this point, we simply don’t know, but there are certainly lots of apps (it is an iPhone) that are capable of tracking you all the time.
It’s either an amazing coincidence, or the Privacy Revolution in action.
She got a robo call from PayPal, advertising something, which might be a bit annoying, but that’s not scary.
As you generally do, with an unrecognized number, she let it go to voice mail, and the message asked her to call back a different number. Nothing entirely amazing there.
But here’s the scary bit. The spoofed number pretended to be from a really small town in PA, that she had only ever been to once before... and that was _earlier that day_
Amazing coincidence, right?
Problem is, those of us in the security biz don’t tend to like coincidences, so the alternative is that something was tracking her.
She checked her settings for PayPal, but it showed that it only tracked her while using the app, and as far as she knew, she was not using the app.
So now we are left to wonder ... is something else selling its tracking data?
At this point, we simply don’t know, but there are certainly lots of apps (it is an iPhone) that are capable of tracking you all the time.
It’s either an amazing coincidence, or the Privacy Revolution in action.