Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller

The presentation discusses the vulnerabilities and attack surface of the embedded controller in Lenovo ThinkPad laptops and the firmware update process.

• The embedded controller in Lenovo ThinkPad laptops is a collection of logical devices that can be seen as services exposed by the controller.
• The communication channel between the main processor and the embedded controller can be used to update the controller's firmware.
• The firmware update process in most vendors, including Lenovo, lacks identification for embedded controller firmware and does not lock the host to initiate communication with the embedded controller, creating a vulnerability for malicious activities and persistence.
• The BIOS guard directory in Lenovo ThinkPad laptops has a script that can be modified in runtime, creating a large attack surface for the attacker.
• The script language in the BIOS guard directory is a fixed size instruction set with basic instructions for setting the flash address, erasing chunks, and writing chunks.
• The ACM in Lenovo ThinkPad laptops is encrypted and executes on the lock at hash, making it difficult to dump, but it can be controlled when loaded and can be used for black box testing.
• The presentation provides anecdotal evidence of previous research on embedded controller attacks and the vulnerabilities of the firmware update process.

The presenter highlights previous research by Alex Hundred on embedded controller attacks in 2011 and the functional research by Chapman and Coloman on breaking the keyboard controller. These studies provide pointers for the vulnerabilities of the embedded controller and the firmware update process.

Hardware security boundaries are really difficult to support and correctly design. On modern x86 platforms exist a lot of different hardware components. It's clear they should be included in the usual threat model's obvious external paths, but what if the attacker can compromise one of the trusted components? We have previously seen when researchers compromise TPM and start the initial point of the attack from inside of trusted boundary. All these points create concerns on the current threat modeling process because after attacker crosses a trusted boundary, the attack surface significantly changes. Does this mean the attack surface is dynamic and not static?In our presentation, we focus on reverse engineering Embedded Controller (EC) from one of the recent Lenovo Thinkpad laptops, attacks from EC trusted boundary the main platform firmware (BIOS) and we manage to bypass Intel BIOS Guard technology (Lenovo specific implementation). We will present multiple topics across security boundaries problems on x86 platforms, as well as demonstrate platform design problems with trust to third-party components as EC and show the real attacks from OS-level to EC/from EC to BIOS.This research targeting reverse engineering topics of EC firmware are based on ARC processor architecture, the internals of EC architecture and specific operating modes to support SMI-handlers on EC side (include BIOS Guard). Also, we reverse engineered the most interesting parts of communications and relations between BIOS and EC. The attack surface from EC with attacker perspective is quite large and can include DMA attacks, disclose of PCI memory space to attack devices and the possibility of persistent rootkit/implant installation.