PreOS Security

BSidesPDX 2018 Workshop

2018-10-11T00:00:00+00:00

Lee & Paul will be at BSides PDX 2018 Fri Oct 26th giving a hands-on workshop titled “Detecting Evil Maid Firmware Attacks” https://bsidespdx.org/events/2018/workshops.html#Evil%20Maid.

Summary:

Firmware is software that controls the hardware; firmware-based malware (bootkits, firmworms, etc.) has very low-level system access, even while the system is powered off, and is invisible to most security tools. This workshop gives an introduction to platform firmware security, for DFIR professionals responsible for protecting critical infrastructure. Beginning with an introduction to the technologies (UEFI, ACPI, SMM, BMC, Redfish, etc.), the threats, available open source tools, and guidance and best practices, and the latest NIST firmware security lifecycle guidance. The presentation will cover and the lab will use tools like CHIPSEC, UEFITool, UEFIDump, FirmWare Test Suite, ACPIdump, and other open source tools to obtain diagnostic and security information – and ‘blobs’ from the firmware. We will demonstrate how our open source software Firmware Audit (fwaudit) can be used to assist with automation and logging and forensics, and our cloud service for storage and centralized analysis. We’ll be using a Linux VM, participants who want to run workshop labs will need a laptop with VirtualBox installed.

–

Immediately after the PreOS workshop, Intel will be presenting their workshop on “UEFI and CHIPSEC development for Security Researchers” https://bsidespdx.org/events/2018/workshops.html#Chipsec

Highly recommended!

Newsletter Q3 2018 - fwaudit releases, e-book, Black Hat, proactive firmware evaluation

2018-08-06T00:00:00+00:00

fwaudit updates

Our open source firmware security tool released in March at UEFI Plugfest has some updates, now tagged as release 0.0.2. We’ve made some bugfixes, added support for an Intel AMT vulnerability test and cleaned up the code.

We still consider this code “PRE ALPHA” and we’ll let you know when it is starting to be more useful and have fewer known defects.

Syslog support under Linux is working in this release, and we think that is an important milestone for enterprise use - assuming you have centralized syslog aggregation in place. Do you? We’d like to know.

We’d also like to know what are the next most important features to you for a firmware security automation tool.

We have dedicated email lists for fwaudit, both -announce and -discuss. Sign up here:

fwaudit-announce:

https://lists.preossec.com/mailman/listinfo/fwaudit-announce_lists.preossec.com

fwaudit-discuss: https://lists.preossec.com/mailman/listinfo/fwaudit-discuss_lists.preossec.com

E-Book Released

After a long wait, we’re proud to announce that the e-book: “Platform Firmware Security Defense for Enterprise System Administrators and Blu Teams” is released.

We decided to license the book CC BY-NC-SA, so we will publish the source and build files directly on Github (https://github.com/PreOS-Security/) once we’ve tidied them up a bit. Once it is on Github, you’ll be able to submit pull requests. Until then, email editor@preossec.com with feedback.

If you have trouble with the email attachments, you can download them from an unlinked URL on our corporate site:

https://preossec.com/products/ebook-download

Black Hat USA 2018

Are you going to Black Hat? We’ll be doing a demo of the new release and improvements to our open source firmware security software fwaudit at the Arsenal Tools Demo. We’d love to meet up with you!

https://www.blackhat.com/us-18/arsenal/schedule/index.html#firmware-audit-platform-firmware-security-automation-for-blue-teams-and-dfir-11359

Contact both of us at:

blackhatusa2018@preossec.com

New Proactive Single Make/Model/Revision Firmware Security Evaluation

We’re both pretty excited to offer a new report. Ship us any single make / model / revision of hardware, we’ll do an in-depth firmware security report. Use this report to inform purchasing decisions, system security positioning, and improve IT procedures such as firmware updates and incident response.

We will lead by posting example reports to this https://firmwaresecurity.com, in sections as (tagged!) blog posts, for:

Lenovo Carbon X1 6th Generation
Dell XPS 13 9370 (Early 2018)

Once we’re done, you’ll be able to access the full reports as a pdfs on the corporate site:

https://preossec.com/services/single-variant-firmware-security-report/

$500 USD.

We will run all publicly available firmware and hardware vulnerability tools and check version numbers, for known issues such as:

Intel AMT
Intel ME
AMD PSP
Spectre
Meltdown
Microcode
Rowhammer

We’ll include a comprehensive list of firmware on the system, and highlight potential issues such as:

Closed source binary blobs
Modifiable firmware
How it can be modified (eg: desoldering and flashing chips, JTAG, I2C, etc)
Compliance with applicable NIST standards
Tools, updates and support availability from component manufacturer, and OEM
We will look for operational support, such as signed firmware updates via Windows update and Linux Vendor Firmware Service (aka: fwupd).

We will make recommendations if this system should not be used in sensitive areas such as:

Executives (CEO, CTO, etc)
Finance
Legal
Critical Infrastructure
DOD
PCI
HIPAA

Black Hat USA 2018 Arsenal Tools Demo of fwaudit

2018-06-27T00:00:00+00:00

We’ll be demonstrated a much more powerful and feature complete release of fwaudit at Black Hat USA in August. We may merge some changes in with the public branch before then - keep an eye on:

https://github.com/PreOS-Security/fwaudit

Our demo is Weds, 2:30pm-3:50pm Station 5:

https://www.blackhat.com/us-18/arsenal/schedule/index.html#firmware-audit-platform-firmware-security-automation-for-blue-teams-and-dfir-11359

This will be our first time at Black Hat, and we’re looking forward to seeing some of the other Arsenal Tools Demos:

https://www.blackhat.com/us-18/arsenal/schedule/index.html

and attending some of the Briefings:

https://www.blackhat.com/us-18/briefings/schedule/index.html

If only we could attend everything - but it all happens at once!

If you’re going to be there, and you’re interested in what we’re up to - we’d love to talk to you. Contact us here: blackhatusa2018@preossec.com

Release of fwaudit and awesome-firmware-security

2018-04-20T00:00:00+00:00

PreOS Security is happy to announce the very first release of our GPL firmware security tool firmware audit, aka: fwaudit. You can download it from Github here:

https://github.com/PreOS-Security/fwaudit

We’re calling this a 0.0.1 release, as it has many known bugs and issues, and is missing quite a few features you might find useful. We’ll relay the CHIPSEC disclaimer that it is NOT FOR PRODUCTION USE. And in fact, it isn’t suitable for much use at all, yet. Still - check it out if you’re curious, or feeling helpful to us. Give us comments or a pull request!

We’ve also released a Github awesome list: https://github.com/PreOS-Security/awesome-firmware-security

Awesome Firmware Security is a curated list compiled from years of Lee’s blogging over at https://firmwaresecurity.com and preparation for our many talks and presentations. We’ve already got some feedback from the community via Twitter https://twitter.com/PreOS_Security and pull requests. Send us yours! This is a community resource for everyone to use and improve.

See You At UEFI Plugfest

2018-03-25T00:00:00+00:00

What is a UEFI Plugfest? Organized by the UEFI Forum, plugfests are the biannual events at which stakeholders in the UEFI ecosystem can test the interoperability of their UEFI implementations. This includes everyone from manufacturers, independent BIOS vendors and PCIe card manufacturers to operating system vendors - including open source.

http://www.uefi.org/SpringPlugfest2018

If you are attending the UEFI Plugfest in Bellevue this week, be sure to say “Hi.” PreOS Security are sponsoring the event, and we’d love to talk to you, no matter which part you play in the UEFI ecosystem. We’re also on the test schedule to test out our pre-alpha software.

Perhaps you’re wondering where we’ve been lately? We’ve been working our our still-upcoming e-book, developing our training modules, writing code, and occasionally having winter cold and/or flu. We’re a bit behind on everything, and haven’t forgotten that many of you are waiting on our e-book and newsletter!

Hear Our CTO Talk At BSides Seattle

2018-01-25T00:00:00+00:00

Lee Fisher, our CTO will be speaking at BSides Seattle, which actually takes place in Redmond on the Microsoft campus. Tickets are all sold out, but you can join the waitlist to see if tickets become available.

Waitlist here: https://www.eventbrite.com/e/bsides-seattle-2018-tickets-40951270352

BSides Seattle Webpage: http://www.securitybsides.com/w/page/121128486/BsidesSeattle2018

The title of the talk is “Platform Firmware for Blue Teams: Detecting Evil Maid Attacks” and you’ll note that CEO Paul English is also credit as speaking, but his attendance isn’t guaranteed due to travel.

PreOS Security on the Brakeing Security Podcast

2017-10-23T00:00:00+00:00

Brakeing Security has posted the podcast with our interview: http://brakeingsecurity.com/2017-special004-source-conference-seattle-2017

Thanks Brian!

SOURCE Seattle 2017

2017-10-12T00:00:00+00:00

PreOS attended and spoke at SOURCE Seattle 2017 in Bellevue, October 5th & 6th. Lee presented a one-hour summary talk version of our half-day hands-on tutorial on firmware security. Slides are available: https://firmwaresecurity.files.wordpress.com/2017/10/srcsea17.pdf

Lee’s personal blog mentions this talk also: https://firmwaresecurity.com/2017/10/10/uefi-slides-from-source-seattle-uploaded/

At the conference, Bryan of the Brakeing Security podcast interviewed PreOS Security co-founder Paul English and Lee Fisher, along with some other SOURCE Seattle speakers. The podcast should be released some time this week.

http://www.brakeingsecurity.com/

http://brakeingsecurity.com/rss

SeaGL 2017

2017-10-11T00:00:00+00:00

PreOS attended and spoke at SeaGL 2017 in Seattle October 6th & 7th. Paul presented a version of Lee’s talk at SOURCE Seattle (blog post upcoming) titled “Detecting BadBIOS, Evil Maids, Bootkits, and Other Firmware Malware” https://osem.seagl.org/conferences/seagl2017/program/proposals/374.

Per the organizers’ suggestion, slides were uploaded to archive.org:

https://archive.org/details/seagl-2017

This talk was slightly more aimed at individuals than people managing large fleets of machines, but can (and will!) be tuned even more for future events. Perhaps LinuxFest Northwest?

Meanwhile, we’re still working hard on our “Firmware Security For Sysadmins and Blue Teams” e-book, which should condense both talk and tutorial guidance for large fleets of machines into the most compact format we can manage. Firmware security is a deep topic!

You can still get a free copy of our e-book when it comes out by signing up for our Quarterly Firmware Newsletter (okay, technically you can just request a copy of the e-book if you like):

https://preossec.com/newsletter

Background on CVE-2017-5689/VU-491375/INTEL-SA-00075 (Intel AMT)

2017-06-17T00:00:00+00:00

<Note: We’re going to try and post a blog entry for major firmware vulnerabilities that impact enterprises, and the recent Intel AMT vulnerability seems like a good place to start.>

Technology Overview:

Quoting Wikipedia, “Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them.<1> Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.”

Intel AMT is a firmware technology that runs on the Intel ME processor. AMT is normally enabled on servers, but some ‘business-class’ desktops/laptops – such as Thinkpads – also use AMT.

AMT is active even when the operating system is powered off, and the power switch is off, if there is power supply AMT can be running.

AMT can be remotely administrated. If there is a network connection, AMT may be sending network traffic. Normally AMT is considered an ethernet-centric technology, but it appears there are scenerios that AMT also uses WiFi.

Intel ME processor cannot be disabled with tools from Intel. Intel AMT may be disabled in the boot menu.

Vulnerability Background:

Maksim Malyutin of Embedi located the vulnerability.

Tenable also ‘rediscovered’ the vulnerability, both Embedi and Tenable have good technical descriptions of the vulnerability.

The AMT code has a string copy function to check the remote user’s password, and they don’t check the return code, so ANY password will work for ANY user.

Mitigations:

Read list of mitigations from Intel and US-CERT.
Get latest AMT software update from Intel/vendor.
Check Intel announcement for tools to detect and disable.
Disable AMT.
If using AMT, question the need to use it.
Disable AMT in network environments where you cannot fully control the network traffic (eg, mobile AMT-enabled laptop at external wifi hotspot)
Consider some non-Intel community tools to check AMT and ME status.
Isolate any AMT network traffic from public Internet (possible with Ethernet, perhaps not possible with WiFi-enabled business-laptops when roaming (eg, coffee shop).
Set corporate policy regarding AMT use (update policy, disable/enable status).

Beyond the Intel tool, some untested community tools that might be helpful. Beyond detecting current status/informatoin, some of these community tools have features to attempt to disable AMT and/or ME, which may or may not work. Ask your vendor and local hardware expert before touching any of the non-readonly features, they may brick your system if you are not very careful.

Intel AMT aside, if your enterprise uses IPMI, or DMTF SMASH, DMTF DASH, DMTF Redfish, HP iLO, Dell DRAC, IBM Remote Supervisor Adapter, AMI MegaRac, or similar network-enabled OOB pre-OS technologies, you should also check for latest software, and ensure that their network traffic is isolated from attackers.

More Information:

technology background:

Information from the security researcher who discovered the vulnerability:

Information from Intel, including tools:

Subset of community tools:

Selected subset of other sources of information: