LEDs Light The Way To This Backdoor

A curious trend for some years in the world of PC hardware has been that of attaching LEDs to all the constituent parts of a computer. The idea is that somehow a gaming rig that looks badass will somehow be just a little bit faster. As [Graham  Sutherland] discovered when he wanted to extinguish the LEDs on his new Gigabyte graphics card, these LEDs can present an unexpected security hazard.

The key to their insecurity comes in the Gigabyte driver. This is a piece of software that you would normally expect to be an abstraction layer with an interface visible to your user level privilege, and a safe decoupling between that and the considerably more security sensitive hardware layer from which the LED bus can be found. Instead of this, the Gigabyte driver is more of a wrapper that simply exposes the LED bus directly to the user level. It’s intended that user-level code can easily bit-bang WS2812 LEDs without hinderance, but its effect is to provide a gaping hole in the security layers intended to keep malicious code away from the hardware. The cherry on the cake is provided by the discovery of a PIC microcontroller on the bus which can be flashed with new code, providing an attacker with persistent storage unbeknownst to the operating system or CPU.

The entire Twitter thread is very much worth reading whether you are a PC infosec savant or a dilettante, because not only should we all know something about the mechanisms of PC backdoors we should also be aware that sometimes a component as innocuous as an LED can be a source of a security issue.

Thanks [Slurm] for the tip.

Gigabyte motherboard picture: Gani01 [Public domain].

Hackaday Links: July 23, 2017

Hey, you know what’s happening right now? We’re wrapping up the third round of The Hackaday Prize. This challenge, Wheels, Wings, and Walkers, is dedicated to things that move. If it’s a robot, it qualifies, if it’s a plane, it qualifies, if it passes butter, it qualifies. There’s only a short time for you to get your entry in. Do it now. Superliminal advertising.

Speaking of the Hackaday Prize, this project would be a front-runner if only [Peter] would enter it in the competition. It’s one thing to have a cult; I have a cult and a petition to ‘stop’ me.

We were completely unaware of this project, but a few weeks ago, a cubesat was launched from Baikonur. This cubesat contains a gigantic mylar reflector, and once it’s deployed it will be the second brightest object in the night sky after the moon. I don’t know why we haven’t seen this in the press, but if you have any pictures of sightings, drop those in the comments.

In a mere two years, we’ll be looking at the 50th anniversary of the Apollo 11 landing. The mission control center at Johnson Space Center — where these landings were commanded and controlled — is still around, and it’s not in the best shape. There’s a Kickstarter to restore the Apollo Mission Control Center to its former glory. For the consoles, this means restoring them to Apollo 15 operational configuration.

We’ve seen 3D printed remote control airplanes, and at this point, there’s nothing really exceptional about printing a wing. This user on imgur is going a different direction with 3D printed fiberglass molds. Basically, it’s a fuselage for a Mustang that is printed, glued together, with the inside sanded and coated in wax. Two layers (3 oz and 6 oz) fiberglass is laid down with West Systems epoxy. After a few days, the mold is cracked open and a fuselage appears. This looks great, and further refinements of the process can include vapor smoothing of the inside of the mold, a few tabs to make sure the mold halves don’t break when the part is released, and larger parts in general.

The Darknet’s Casefile will take you to the limit of your existing knowledge. Join them, to go on a quest to improve your technical abilities.

This week is Def Con. That means two things. First, we’re on a hardware hunt. If you’ve been dedicating the last few months to #badgelife or other artisanal electronics, we want to hear about it. Second, [Joe Kim] made a graphic of the Tindie dog wearing a Hackaday hoodie and it’s adorable. There are a limited number of stickers of our hacker dog.

Gigabyte launched a single board computer with an Intel Apollo Lake CPU, discrete memory and storage, and a mini PCIe slot. Of course, this is being incorrectly marketed as a ‘Raspberry Pi competitor’, but whatever.

Gigabytes The Dust With UEFI Vulnerabilities

At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.

Gigabyte has been working on a fix since the start of 2017. Gigabyte are preparing to release firmware updates as a matter of urgency to only one of the affected models — GB-BSi7H-6500 (firmware vF6), while leaving the — GB-BXi7-5775 (firmware vF2) unpatched as it has reached it’s end of life. We understand that support can’t last forever, but if you sell products with such a big fault from the factory, it might be worth it to fix the problem and keep your reputation.

The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.

Attackers may exploit the vulnerabilities to execute unsigned code in System Management Mode (SMM), planting whatever malware they like into the low level workings of the computer. Cylance explain a possible scenario as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.

With all this said, it does raise some interesting opportunities for the hacker community. We wonder if anyone will come up with a custom UEFI for the Brix since Gigabyte left the keys in the door.