News

3649 Articles

UEFI-Hacked

Gigabytes The Dust With UEFI Vulnerabilities

April 4, 2017 by 46 Comments

At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.

Gigabyte has been working on a fix since the start of 2017. Gigabyte are preparing to release firmware updates as a matter of urgency to only one of the affected models — GB-BSi7H-6500 (firmware vF6), while leaving the — GB-BXi7-5775 (firmware vF2) unpatched as it has reached it’s end of life. We understand that support can’t last forever, but if you sell products with such a big fault from the factory, it might be worth it to fix the problem and keep your reputation.

The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.

Attackers may exploit the vulnerabilities to execute unsigned code in System Management Mode (SMM), planting whatever malware they like into the low level workings of the computer. Cylance explain a possible scenario as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.

With all this said, it does raise some interesting opportunities for the hacker community. We wonder if anyone will come up with a custom UEFI for the Brix since Gigabyte left the keys in the door.

California Looks To Compel IoT Security

April 3, 2017 by 32 Comments

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

Transcranial Electrical Stimulation With Arduino, Hot Glue

March 31, 2017 by 28 Comments

The advance of electronic technology has been closely followed by the medical community over the past 200 years. Cutting edge electronics are used in medical imaging solutions to provide ever greater bandwidth and resolution in applications such as MRI machines, and research to interface with the human nervous system continues at a breakneck pace. The cost of this technology – particuarly in research and development – is incredibly high. Combine this with the high price of the regulatory approvals necessary for devices which deal in terms of life and death, and you’ll find that even basic medical technology is prohibitively expensive. Just ask any diabetic. On the face of things, there’s a moral dilemma. Humanity has developed technologies that can improve quality of life. Yet, due to our own rules and regulations, we cannot afford to readily distribute them.

One example of this is that despite the positive results from many transcranial electrical stimulation (TCS) studies, the devices used are prohibitively expensive, as are treatment regimens for patients. Realising this, [quicksilv3rflash] decided to develop a homebrew, open source transcranial electrical stimualtion device, and published it on Instructables. Yes, that’s the world we’re now living in.

It’s important to publish a warning here: Experimenting with this sort of equipment can easily kill you, fry your brain, or have any number of other awful results. If you don’t have a rock solid understanding of the principles behind seperate grounds, or your soldering is just a little sloppy, you don’t want to go anywhere near this. In particular, this device cannot be powered safely by a wall-wart.

To be honest, we find it difficult to trust any medical device manufactured out of modules sourced from eBay. But as a learning excercise, there is serious value here. Such a project requires mastery of analog design to avoid dangerous currents being passed to the body. The instructions also highlight the importance of rigorously testing the device before ever connecting it to a human body.

The equipment is based around an Arduino Nano receiving commands from a computer over serial, fed by an application written in Python & PyGame. To think, this writer thought he was being bold when he used it to control a remote control car! The Arduino Nano interprets this data and outputs it over SPI to a DAC which outputs a signal which is then amplified and fed to the human brain courtesy of op-amps, boost converters and sponge electrodes. The output of the device is limited to +/-2.1mA by design, in accordance with suggested limits for TCS use.

It should be noted, [quicksilv3rflash] has been experimenting with homebuilt TCS devices for several years now, and has lived to tell the tale. It’s impressive to see a full suite of homebrew, opensource tools being developed in this field. [quicksilv3rflash] reports to have not suffered injuries from the device, and several devices have been shipped to redditors. We’ve only found minimal reports on people receiving these, but nothing on anyone actually using the hardware as intended. If you’ve used one, get in touch in the comments.

It goes without saying – this sort of experimentation is dangerous and the stakes for getting it wrong are ludicrously high. We’ve seen before what happens when medical devices malfunction – things get real ugly, real fast. But hackers will be hackers and if you were wondering if it was possible to build a TCS device for under $100 in parts from eBay, well, yes. Yes it is.

Save Big By Hacking Your Car Keys

March 29, 2017 by 69 Comments

Three hundred bucks for a new car key? Nonsense! When you lose your keys or want to have an extra made for that new teen driver, don’t let the stealership lighten your wallet. Just pull the ECU and hack some hex to add the new keys.

The video below is a whirlwind tour of the process [speedkar9] uses to reprogram Toyota ECUs to allow new keys to pass the security test on your new(er) car. Since the early 2000s or so, most manufacturers have included RFID chips in their keys so that only known keys will start a car. In Toyotas, this is done by an RFID reader in the steering column that passes the inserted key’s code to the engine control unit. If the 8-byte key code matches one of three values stored in the ECU, the car will start. Clearing the EEPROM in the ECU is the focus of [speedkar9]’s process, which connecting to the EEPROM and reading the contents. His rig includes an RS-232 serial connection, so the hardest part of this hack might be rounding up a PC with a DB-9 jack, but once you’ve got that covered, it’s just a little bit-bashing to “virginize” the ECU to ready it for reprogramming.

The details of the procedure will vary by manufacturer, of course, and cars of a more recent vintage will likely have even more security to worry about. Might you even run afoul of DRM like you would by hacking a tractor? Perhaps. But $300 is $300.

Continue reading “Save Big By Hacking Your Car Keys”

2017: The Year Of The Dishwasher Security Patch

March 28, 2017 by 101 Comments

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.

Russian Hackers Domain Fronting

March 28, 2017 by 51 Comments

FireEye just put out a report on catching the Russian hacker group “Advanced Persistent Threat 29” (APT29, for lack of a better code name) using the meek plugin for TOR to hide their traffic. If you’re using meek with meek-reflect.appspot.com, you’ll find it’s been shut down. If all of this is gibberish to you, read on for a breakdown.

meek is a clever piece of software. Imagine that you wanted to communicate with the Tor anonymizing network, but that you didn’t want anyone to know that you were. Maybe you live in a country where a firewall prevents you from accessing the full Web, and blocks Tor entry nodes as part of their Great Firewall. You’d want to send traffic somewhere innocuous first, and then bounce it over to Tor, in order to communicate freely.

That’s what meek does, but it goes one step further. The reflector server is hosted using the same content-delivery network (CDN) as a popular service, say Google’s search engine. The CDN has an IP address, like every other computer on the Internet, but it delivers content for any of the various services it hosts. Traffic to the CDN, encrypted with TLS, looks the same whether it’s going to the meek reflector or to Google, so nobody on the outside can tell whether it is a search query or packets destined for Tor. Inside the CDN, it’s unencrypted and passed along to the reflector.

Anyway, meek was invented to help bring the uncensored Internet to people who live in oppressive regimes, and now cybersecurity researchers have observed it being used by Russian state hackers to hide their tracks. Sigh. Technology doesn’t know which side it’s on — the same backdoor that the FBI wants to plant in all our communications can be used by the mafia just as easily. Plugins that are meant to bring people freedom of speech can just as easily be used to hide the actions of nation-state hackers.

What a strange world we live in.

Arch Your Eyebrow At Impression Products V. Lexmark International

March 28, 2017 by 63 Comments

When it comes to recycled printer consumables, the world seems to divide sharply into those who think they’re great, and those who have had their printer or their work ruined by a badly filled cartridge containing cheaper photocopy toner, or God knows what black stuff masquerading as inkjet ink. It doesn’t matter though whether you’re a fan or a hater, a used printer cartridge is just a plastic shell with its printer-specific ancilliaries that you can do with what you want. It has performed its task the manufacturer sold it to you for and passed its point of usefulness, if you want to fill it up with aftermarket ink, well, it’s yours, so go ahead.

There is a case approaching the US Supreme Court though which promises to change all that, as well as to have ramifications well beyond the narrow world of printer cartridges. Impression Products, Inc. v. Lexmark International, Inc. pits the printer manufacturer against a small cartridge recycling company that refused to follow the rest of its industry and reach a settlement.

At issue is a clause in the shrink-wrap legal agreement small print that comes with a new Lexmark cartridge that ties a discounted price to an agreement to never offer the cartridge for resale or reuse. They have been using it for decades, and the licence is deemed to have been agreed to simply by opening the cartridge packaging. By pursuing the matter, Lexmark are trying to set a legal precedent allowing such licencing terms to accompany a physical products even when they pass out of the hands of the original purchaser who accepted the licence.

There is a whole slew of concerns to be addressed about shrink-wrap licence agreements, after all, how many Lexmark owners even realise that they’re agreeing to some legal small print when they open the box? But the concern for us lies in the consequences this case could have for the rest of the hardware world. If a precedent is set such that a piece of printer consumable hardware can have conditions still attached to it when it has passed through more than one owner, then the same could be applied to any piece of hardware. The prospect of everything you own routinely having restrictions on the right to repair or modify it raises its ugly head, further redefining “ownership” as  “They really own it”. Most of the projects we feature here at Hackaday for example would probably be prohibited were their creators to be subject to these restrictions.

We’ve covered a similar story recently, the latest twist in a long running saga over John Deere tractors. In that case though there is a written contract that the farmer buying the machine has to sign. What makes the Lexmark case so much more serious is that the contract is being applied without the purchaser being aware of its existence.

We can’t hold out much hope that the Supreme Court understand the ramifications of the case for our community, but there are other arguments within industry that might sway them against it. Let’s hope Impression Products v. Lexmark doesn’t become a case steeped in infamy.

Thanks to [Greg Kennedy] for the tip.

Lexmark sign by CCC2012 [CC0].