Industry Research and News:
Huge Survey of Firmware Finds No Security Gains in 15 Years
In the first longitudinal study of IoT software safety, the Cyber Independent Testing Lab (CITL) analyzed more than 6,000 firmware versions from 18 vendors, totaling close to 3 million binaries created from 2003 to 2018. The results were not encouraging. Time and again, firmware from commonly used manufacturers failed to implement basic security features even when researchers studied the most recent versions of the firmware.
Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now
The SWAPGS instruction is used by operating systems to quickly switch between user-mode and kernel-mode per-CPU data structures at the beginning and end of system calls and interrupt handlers. Under certain conditions, speculative execution of SWAPGS in kernel-mode will cause a user-provided address to be used by subsequent instructions, leaking private kernel-mode information to user-mode. This provides a building block allowing speculative execution of SWAPGS to be used as another Spectre variant.
Security Bugs in Popular Cisco Switch Brand Allow Hackers to Take Over Devices
Cisco has patched three dangerous bugs in one of its most popular products, the Cisco Small Business 220 Series of smart switches. The most dangerous of the three allows attackers to run malicious code with root privileges, effectively allowing attackers to take over devices with a simple HTTP or HTTPS request aimed at unpatched switches.
Official Cybersecurity Review Finds U.S. Military Buying High-Risk Chinese Tech
A new report issued by the U.S. military's Inspector General has highlighted the "micro-purchases" of everyday IT equipment as a serious risk.
Security Research and Advisories
Black Hat Roundup
Come Join the CAFSA - Continuous Automated Firmware Security Analysis
Firmware development practices lead to security issues being reintroduced or the wrong binary shipped. Cruise Automation introduces a tool for firmware security QA.
Behind the Scenes of Intel Security and Manageability Engine
Intel researchers describe the company’s Converged Security and Manageability Engine, and the actions Intel is taking to mitigate firmware security challenges.
PicoDMA: DMA Attacks at Your Fingertips
PicoDMA is a refinement of PCILeech. Seeing a proof of concept wireless DMA attack highlights the need to look for odd PCI devices in systems.
Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone
Tencent Blade researchers demonstrate that hardening at the OS and device driver layers can be subverted with bugs in firmware
Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller
NVIDIA and Airbus research highlights that embedded controllers (used in nearly all laptops) are often overlooked as a threat vector.
Inside the Apple T2
T2 takes a novel approach to first-instruction integrity. By combining an EC and NVMe controller, they can securely store signed EFI images on encrypted storage and boot the host from a virtual SPI flash. Since the EFI flash is virtual, EFI persistence is mitigated as T2 can replace the firmware with a known-good, signed copy.
Everybody be Cool, This is a Robbery!
Fascinating research from Ledger. HSMs are supposed to be highly secure modules that hold critical secrets. The standards that evaluate HSMs focus on physical attacks leaving them wide open to firmware attacks.
Breaking Samsung's ARM Trustzone
Quarkslab shows that TrustZone can potentially introduce a single point of failure that allows the compromission of the entire system and details vulnerabilities they were able to exploit.
DEF CON Roundup
EDR Is Coming; Hide Yo SH!t
By abusing early boot mechanisms and UEFI platform firmware, red team attackers were able to evade common detection, and evade EDR, leaving it unable to see their malicious activities.They put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak.
These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.
QualPwn Bugs In Snapdragon SoC Can Attack Android Over the Air
Security researchers from Tencent's Blade team found two serious vulnerabilities in Qualcomm's Snapdragon system-on-a-chip (SoC) WLAN firmware that could be leveraged to compromise the modem and the Android kernel over the air.
Additional Reading ...