Wednesday, December 9, 2020

2021 is saying, "Hold my beer!"

I have been warning for quite a while, that firmware, particularly UEFI, is the next malware battleground. It is heating up, and everyone needs to start to pay attention.

Consider these items:

One of the RansomWare crews is starting to try to examine, and maybe modify, UEFI

Just to highlight how powerful UEFI is, someone has ported Doom to UEFI. This is pretty awesome, especially if you are a Doom fan, but it sure shows something about UEFI … Doom

The Hacking Team UEFI rootkit seems to have re-surfaced from a nation/state team … Hacking Team

As well as those little itms, having analyzed about 3,000 firmware blobs, here are some of our key findings…

• UEFI firmware contains between 200 and about 1,000 compiled C programs, in Windows format, which is a format well understood by attackers, and defenders, alike.

• approximately half the executables will have signing certificates that are expired. It turns out that certificates are only checked at flash time. What this means is that if something can get write access to the firmware, it could infect, or replace, whatever it likes.

• Nation-state actors have already managed some penetration, with attacks like Shadow Hammer, and LoJax.

• about seven manufacturers have firmware programs that are roughly functionally equivalent to the Lenovo rootkit, from 2015. They are just not as noisy, so they haven’t been noticed.

• out of a random sampling of about 1,500 blobs, 581 had remote update by http or ftp capability, 117 had email capabilities, 1287 had some password reset capability, and 260 contained the word ‘backdoor’

• UEFI has its own network stack, and can download programs, and whole operating systems, from the Internet using http or ftp and some can send email using EHLO

Now, I'm not saying that UEFI is bad. It's the opposite... it's great! It is, however, immensely powerful, and one of the truths of computer security is that functionality (or power) and security tend to exist in an inverse relationship. In other words, the more powerful something is, the less secure it tends to be.

It is clear that our adversaries, from ransomware gangs, to nation/state teams, are attacking the firmware, and it is heating up. Everyone needs to start paying attention. It doesn't matter if your stuff is all in the cloud, because if something bad gets in the firmware, it will be able to find your cloud credentials, and your blockchain private keys, and ... whatever it wants.

Everyone is waiting for 2020 to end, but I reckon 2021 is saying, "Hold my beer, and watch this!"

No comments: