logo

Remotely Attacking System Firmware

Conference:  BlackHat USA 2018

2018-08-08

Summary

The presentation discusses remote attacks on system firmware and provides recommendations for defense and detection.
  • Firmware vulnerabilities are increasing and often require local or physical access to exploit
  • The presentation focuses on novel remote attacks on system firmware
  • Different remote attack vectors are presented, including networking, updates over the Internet, and error reporting
  • Vulnerabilities in UEFI firmware implementations can lead to installing persistent implants remotely at scale
  • Mitigations and detection capabilities are discussed
  • Hardware firmware is complex and highly privileged software that runs before the operating system loads
  • The update process for firmware is often messy and difficult
  • The remote attack surface for firmware keeps expanding as new vulnerabilities are introduced
The presenter recommends using the Chips framework to explore hardware interfaces in the system and check for known misconfigurations. The framework can also be used to build exploits and proof of concept tests. Additionally, the presenter suggests using the framework to extract the spy image from the running system and check it against a whitelist of known good states. This functionality can help detect if the system has been hacked or if malicious modifications have been made to the firmware.

Abstract

In recent years, we have been witnessing a steady increase in security vulnerabilities in firmware. Nearly all of these issues require local (often privileged) or physical access to exploit. In this talk, we will present novel *remote* attacks on system firmware. In this talk, we will show different remote attack vectors into system firmware, including networking, updates over the Internet, and error reporting. We will also be demonstrating and remotely exploiting vulnerabilities in different UEFI firmware implementations which can lead to installing persistent implants remotely at scale. The proof-of-concept exploit is less than 800 bytes.How can we defend against such firmware attacks? We will analyze the remotely exploitable UEFI and BMC attack surface of modern systems, explain specific mitigations for the discussed vulnerabilities, and provide recommendations to detect such attacks and discover compromised systems.

Materials:

Tags:

Post a comment

Related work

Conference:  Defcon 31
Authors: Alex Tereshkin Principal System Software Engineer (Offensive Security), NVIDIA, Adam Zabrocki Distinguished Engineer (Offensive Security), NVIDIA
2023-08-01