Conference:  Defcon 31

Authors: Alex Tereshkin Principal System Software Engineer (Offensive Security), NVIDIA, Adam Zabrocki Distinguished Engineer (Offensive Security), NVIDIA

2023-08-01

The Baseboard Management Controller (BMC) is a specialized microcontroller embedded on the motherboard, typically used in servers and other enterprise-level hardware. The security of the BMC is critical to the overall security of the system, as it provides a privileged level of access and control over the hardware components of the system, including the ability to perform firmware updates, and even power the system on and off remotely. When the internal offensive security research team was analyzing one of the NVIDIA hardware, they detected several remotely exploitable bugs in AMI MegaRAC BMC. Moreover, various elevations of privileges and "change of scope" bugs have been identified, many of which may be chained together resulting in a highest severity security issue. During this talk we would like to take you on the journey of the whole attack sequence: from having zero knowledge about a remote AMI BMC with enabled IPMI (yeah, right) to flashing a persistent firmware implant to the server SPI flash. The chain will be about a dozen bugs long, so buckle up.

Conference:  Defcon 31

Authors: Tom Pohl Principal Consultant and the Penetration Testing Team Manager at LMG Security

2023-08-01

Firmware and software binaries are littered with private keys, legitimate CA-blessed certificates, and encryption keys—but hardly anyone notices. These secrets are often obfuscated or otherwise hidden in ways that weren’t intended to be found. I’ll show three real-world examples from popular manufacturers (Netgear, Fortinet and Dell), and demonstrate techniques for uncovering them. In the most extreme example, an adversary can use an obfuscated key to gain access to any customer’s vCenter environment. I’ll start with a straightforward look at Netgear firmware and show methods for discovering private keys in PEM-encoded text files. We’ll dig into the Fortinet firmware, which contained custom obfuscated archive files, and show how to extract Apple and Google issued certificates and I will also show that 3 year awaited “fix” did not adequately solve the issue. Finally, I’ll dig into the worst case: a static AES encryption key within Dell software used to connect to vCenter. I'll demonstrate how retrieve, decompile and use a static AES key which will decrypt vCenter credentials. The key is the same for EVERY customer. This has not been talked about anywhere publicly. I’ll conclude by discussing the importance of developer training, proper key management, and (above all), identifying and eliminating this systemic practice.

Conference:  Defcon 31

Authors: Daniel Wegemer

2023-08-01

Wifi chips contain general purpose processors. Even though these are powerful processors, their firmware is closed source and does not allow modifications. This talk explores how the firmware of modern Xtensa based Qualcomm Wifi chips can be modified to allow extending its indented functionality. Such modifications can even be for example leveraged by security researchers to find vulnerabilities in an otherwise closed source Wifi code. During the talk we will also dive into the architecture of Qualcomms Wifi chips as well as the structure of the firmware used withing these chips. We will release a modified version of the Nexmon framework to enable patching of Xtensa based firmware and show all the steps involved to create such patches.

Conference:  Black Hat Asia 2023

Authors: Alex Matrosov, Richard Hughes, Kai Michaelis

2023-05-12

Over the past two years, attacks on multiple targets in the semiconductor industry have consistently led to leaks of firmware source code. A compromised developer device could potentially give an attacker access to the source code repository, adding a major gap in the security of the software supply chain. There are multiple policies in place to improve transparency in the firmware supply chain in general, but implementing and adopting them will take years. The technology industry is in the midst of active discussions about the use of "software bill of materials" (SBOMs) to address supply chain security risks.In order to implement supply chain security practices, there must be better transparency on software dependencies. Previously, any piece of software shipped as black-box without providing any information related to software dependencies and third-party components. Firmware has largely been looked at in the same way. We already discussed in our previous talks the multiple levels of complexity in the UEFI firmware ecosystem and supply chain taxonomy and we already discussed the firmware supply chain complexity topics regarding the firmware update delivery and how the timing plays a negative role to give an attackers advantage to adopt already known vulnerabilities (N-days) to their attacks in last year's research "The Firmware Supply-Chain Security Is Broken: Can We Fix It?".The silicon vendor reference code vulnerabilities are always the worst since impacting the whole industry and all the device vendors have used the same chips on their devices. When it comes to applying mitigations, how does the industry take advantage of them, and who controls their adoption in the firmware? Those are all good questions, but unfortunately, no positive news can be shared. The system firmware attack vectors will be discussed in this talk from the perspective of attacking the operating system or hypervisor. The nature of these attacks breaks the foundation of confidential computing and often creates problems for the entire industry.This talk will focus on practical examples of such attacks and how they are dangerous.

Conference:  Black Hat Asia 2023

Authors: Vlad Babkin, Nate Warfield

2023-05-11

The global IT supply chain is under a heavy spotlight, amidst covid-impacted production shortages, work-from-home policies, geopolitical tensions, and an overall re-balkanization of technology design and production. The 2020 SolarWinds attacks brought the real-world risk of a supply chain attack to the forefront. More commonly overlooked, however, is the risk posed by enterprise devices and the firmware which controls them. These systems exist in highly privileged areas of the computing industry, and due to both their mission criticality and difficulty in patching are mostly forgotten - but not to attackers. We'll reveal new research which began with a ransomware group and ended with a significant coordinated disclosure effort to remediate vulnerabilities discovered at the top of the firmware supply chain. The vulnerabilities we found are in an industry-standard management API, easily exploitable but well-hidden, and it took a data exposure before they were discovered. The access afforded by the exploitation of these flaws can provide an attacker with permanent administrative access to millions of servers worldwide. We will discuss how low-level attacks, once relegated only to nation-states, are being added to the arsenal of cybercriminals and ransomware groups. The talk will also highlight the challenges posed to organizations in assessing their firmware risk and the importance of accountability for the modern technology supply chain.Please note that this will be a remote (virtual) presentation.