Year: 2023

EDITORIAL | December 19, 2023

Navigating the Cybersecurity Threatscape of Today’s Airports

By Kevin Harnett

Everything is ‘Connected’ in Today’s Modern Airports

Cybersecurity in global aviation is increasingly dependent on vulnerabilities in Information Technology (IT) and Operational Technology (OT) systems. The definition of OT systems in this context is defined as hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves or pumps. OT systems are much less organized and are rarely monitored as closely as conventional IT networks. Airports use several critical OT systems, including baggage handling, airport refueling systems, runway lights, building management systems, and supervisory control and data acquisition systems (SCADA)/industrial control systems (ICS).

At most modern airports, there are many cyber-physical security (CPS) challenges to be met, and airport CPS systems fall into three broad categories, each managed by means of network-connected digital controllers:

  • OT Systems – baggage handling systems, building management systems (mechanical, HVAC, electrical systems, lighting, alarms, and sensors), SCADA/ICS, airport refueling/SCADA systems, Approach Lighting System (ALS), Instrument Landing Systems (ILS), electronic baggage tags, etc.
  • IT Systems – video security surveillance systems, access control/badging, contactless mobile payment systems, barcode systems, license readers/parking lots, etc.
  • Ground Vehicles – de-icing trucks, Aircraft Rescue and Firefighting (ARFF) trucks, heavy-duty electric trucks, Electric Vehicle Supply Equipment (EVSE) chargers, snowplow trucks, remote-control airport tugs, Automotive People Movers (APM), Automated Guideway Transit (AGT), Personal Rapid Transit (PRT), automated shuttles, autonomous vehicles, etc.

Today’s Cybersecurity Threats at Airports is Increasing Exponentially

Persistent cybersecurity threats against the aviation sector pose a danger to world airport travel and safety, including unidentified malicious cyber actors who have specifically targeted the U.S. aviation sector over the past few years. Aviation entities have frequently reported incidents such as increased interactions with known malicious foreign IP addresses, phishing emails impersonating legitimate companies, brute-force attacks, and attempts to install backdoors on victim networks.

This accumulation of incidents, which include the following recent examples, underscores the ongoing threat to the aviation sector and the unacceptable risks associated with delay or inaction:

Date(s)Incident
May 2021Society International Telecommunication for Aeronautics (SITA), a telecommunications and IT provider used by approximately 90% of airlines, was the target of a cyberattack, in which threat actors stole over two million records. Affected entities included Air India, Singapore Airlines, Thai Airways, Finnair, Cathay Pacific, United, Air New Zealand, and others.
September 2022An unidentified cyber actor conducted a brute force cyberattack targeting an identified US airline. This cyberattack originated from Russian IP space and caused airline employees to be locked out of their accounts.
October 2022US airport websites suffered a cyberattack, and pro-Russian hacking groups listed multiple U.S. airports as targets.
October 2022A pro-Russian criminal group named KillNet claimed to be behind a significant distributed denial of service (DDoS) attack that impacted several major airports in the United States. DDoS attacks can cripple online services and affect their availability to consumers if the company running those services doesn’t take the appropriate precautions. The group that claimed responsibility for this latest attack carried out similar attacks in the past six months in Europe. The websites of numerous airports were affected, including Atlanta, Los Angeles, Chicago, Orlando, and Phoenix.
October 2022FireEye has reportedly observed at least 24 different advanced threat actor groups targeting various aspects of the aviation and aerospace industries. These include aerospace and defense parts wholesalers, aerospace products and parts manufacturing, aircraft engine and parts manufacturing, guided missile and space vehicle manufacturing, and industrial and military computer system manufacturing. The majority of these groups were Chinese nexus state-sponsored threat actor groups.
May 2023Personal information was compromised in a breach at third-party vendor pilotcredentials.com, including name and social security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification numbers, according to breach notifications from the airlines.
September 2023State-sponsored threat actors have exploited a US aeronautical organization, using known vulnerabilities in Zoho ManageEngine software and in Fortinet firewalls. The organization has not been named, but a statement by US Cyber Command said the attack illuminated “Iranian exploitation efforts. it also said the organization was under attack by “multiple nation-states.”

In a September 2022 article titled “Top Cyber Threats Faced by the Aviation Industry,” SOCRadar reported that the aviation industry faces a landscape of cyber threats that has constantly evolved and posed new challenges for airports and airlines. The article noted that airport websites across the country were the target of Distributed Denial-of-Service (DDoS) attacks last year that temporarily shut down access to several sites, while ransomware attacks and data breaches remained a majority of incidents impacting the industry since 2020.  

In recent years, cyber incidents in the aviation industry have been reviewed within the context of events monitored by Eurocontrol, a pan-European, civil-military organization dedicated to supporting European aviation, who publish the EATM-CERT (European Air Traffic Management Computer Emergency Response Team) Aviation Cyber Event Map. The data in this map has led to the following findings: 

  • 52 attacks were reported in 2020, and 48 attacks were reported in 2021. 50 attacks were reported through the end of August 2022, with cyber incidents reaching the previous years’ totals in just eight months.
  • The most seen attack types in the last three years (2020, 2021, and 2022) are ransomware (%22)data breaches (%18.6)phishing (%15.3), and DDoS (%7.3).
  • In addition to civil aviation attacks, eight military-related incidents were reported, with some focused on cyber espionage and data theft. Two of these attacks were carried out with ransomware, two with malware, and one with a backdoor.

Attack types targeting the aviation industry and their distribution are enumerated in the following diagrams.

Figure 1. Attack Types Targeting the Aviation Industry
Figure 2. Distribution of Attack Types Targeting the Aviation Industry

TSA’s New Cybersecurity Requirements Regulation for Airport and Aircraft Operators

The TSA has taken emergency action in response to the increased threats and vulnerabilities at airports and airlines, issuing a Joint Emergency Amendment (EA) 23-01 Cybersecurity – Performance-Based Measures on March 7, 2023 for all world-wide Category I and II airports.

In summary, the EA 23-01 requirements include:

  1. Designate Critical Systems (e.g., baggage handling systems, airport re-fueling systems) and submit certain identifying information to TSA
  2. Develop and implement a Cybersecurity Implementation Plan (CIP) for TSA approval that demonstrates how the regulated entity applies or will apply four performance-based cybersecurity measures to each designated Critical System:
    • Network Segmentation – Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa
    • Access Control – Create access control measures to secure and prevent unauthorized access to critical cyber systems
    • Continuous Monitoring and Detection – Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations
    • Vulnerability Patching – Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, driver and firmware on critical cyber systems in a timely manner using a risk-based methodology.
  3. Develop and implement an annual Cybersecurity Assessment Program (CAP) that proactively assesses Critical Systems to ascertain the effectiveness of cybersecurity.

For the purposes of this EA, TSA defines a Critical System as any IT or OT system used by the airport or aircraft operator that, if compromised or exploited, could result in operational disruption incurred by the airport or aircraft operator.

IOActive provides services for customers that would assist in meeting the EA 23-01 cybersecurity requirements, such as penetration testing (white-box, gray-box, or black-box), vulnerability assessments, red/purple teams, vulnerability scanning, asset inventory verification, reverse engineering, code reviews, and cybersecurity architecture reviews.

Conducting Cybersecurity Assessments at Airports

Normally when we think of Airport Security we’re thinking about the physical aspects. Everyone has gone through the body scanners, metal detectors, taken their shoes off, opened their bags for a search, accidentally packed 4oz. of toothpaste, etc. However, when examining the cybersecurity ecosystem of an airport there is also a lot to learn about that particular environment.

  • Vulnerability Assessments: Instead of just a traditional scan of a website, when doing a full vulnerability assessment of an airport, we can learn a lot about asset management and how the digital attack surface is shaping up and changing over time.
  • Red Teaming: Really thinking outside of the box of how a set of attackers can breach an airport in various ways is important to understand where they are weak. From SCADA systems to bag management applications, airports provide a very unique set of challenges for a modern red team.
  • Purple Teaming: A proper feedback loop between red team findings and a team responsible for defending the airport is critical to make sure it is not just another PDF report of findings that don’t get addressed. Enabling threat hunting with meaningful data purpose fit for airports is invaluable for teams with this unique set of challenges.

Over the past few years, IOActive has conducted extensive cybersecurity engagements at critical world-wide airports, such as:

  • European Airport: IOActive penetration-tested “representative” baggage handling and building management systems, as well as an Industrial Control System (ICS) security monitoring system and created a Test Specification to test the “Live”  equipment
  • US Airport:  IOActive conducted a Security Architecture review of a major SCADA system before it was installed and major vulnerabilities were found in the remote maintenance devices.
  • US Airport: IOActive using the Department of Homeland Security (DHS) Cybersecurity Evaluation Tool (CSET), conducted a risk assessment on baggage handling systems and vulnerabilities were found in the technician’s authentication to the equipment
  • US Airport: IOActive assisted the airport to develop a Cybersecurity Implementation Program (CIP) and Cybersecurity Assessment Program (CAP) to meet the new TSA-approved Security Program regulations for airports and aircraft operators . A credentialing system, secure remote access and auditing/logging capabilities were implemented to mitigate vulnerabilities found in the Industrial Control System (ICS)/OT Segmentation (e.g. Access Control, Fuel Distribution, Baggage Handling, HVAC, and CCTV systems)

IOActive has seen many systems during our other engagements that have threatscape overlaps with airports. From SCADA/ICS systems to Programmable Logic Controllers (PLCs), pipelines, and even gas turbines. We’ve assessed electricity generation/transmission/distribution systems and even power plants, which all have applicable similarities to airports from a cybersecurity risk point of view.

Kevin Harnett is a Senior Transportation Cybersecurity Technical Advisor for IOActive with deep expertise and experience in ground vehicle and aviation/airport cybersecurity. Kevin has over 40 years experience with the Department of Transportation’s (DOT) Volpe Center.

EDITORIAL | October 19, 2023

A SAFE Journey to Selling Devices to Cloud and Datacenter Providers

By Gunter Ollmann

Observations from the OCP Global Summit | San Jose, CA | October, 18, 2023

If you missed it, there was a significant launch of the Open Compute Project (OCP) Foundation’s new community-led security program for improving device security underpins a fundamental change in the way device vendors and manufacturers engage and sell their products to the worlds leading cloud and datacenter providers.

Beyond standing up a framework for driving continuous security conformance assurance, the Security Appraisal Framework and Enablement (S.A.F.E.) program redefines(and optimizes) the relationship between the device vendor, the device adopter, and the security review provider.

Back when I served as chief security officer for Microsoft’s Cloud and AI Security group, I encountered a scaling problem with the way Azure worked with device vendors (think in terms of CPU’s, GPU’s, SSD’s, network cards, etc.) in validating the integrity and security of their devices. The short story is that before any device or it’s firmware could be deployed within a datacenter a security assessment had to be undertaken – and only devices (and their firmware) that came back with “clean” security reports could be purchased and ultimately deployed. Through a combination of Microsoft’s in-house and trusted third-party penetration testing and code review teams, each key device would be tested and an iterative improvement cycle would continue until the security assurance report came back clean.

There were two obvious problems with that mode of security assurance and interaction. As a purchaser and adopter of devices, how do you scale an in-house security practices to assess and assure the thousands of devices from hundreds of vendors and their ever-changing firmware? And, as a device vendor, how do you meet and coordinate the overlapping yet distinct security requirements of every purchaser and adopter of your technology?

Which brings me back to S.A.F.E. While it has been a couple years since I moved on from Microsoft, it’s fantastic to see that those first meetings with the OCP team and like-minded cloud service providers to tackle those problems that culminated this week in the official launch of the solution – and doubly proud of IOActive’s key involvements in both the creation of the S.A.F.E. device security checklist and Security Review Provider (SRP) criteria, and for being one of the founding SRP providers.

For device vendors, I think S.A.F.E. is great news.

A few points to justify that statement:

  1. Just one set of device security requirements (complete with device checklists) that address all OCP member purchasers and adopters. Better yet, community-driven and publicly available security requirements (with input from purchasers, vendors, and SRP providers alike) that will evolve and adapt to the changing world
  2. Accredited and trusted OCP SRP providers that device vendors can engage with at anytime in their device and firmware’s development lifecycle – cost-effectively accelerating and simplifying a vendors journey to “clean” S.A.F.E.-Approved product status; ultimately ensuring a vendor’s devices can be purchased and deployed by cloud and datacenter providers quicker than ever before
  3. Devices with advanced and proprietary technologies can be security tested and assured to meet adopter security requirements without the vendor having to share proprietary source code with the adopter.

One last perspective to share – oriented specifically to device vendors: there’s fantastic innovation going on across the cloud and datacenter device ecosystem. As I navigate the OCP conference Expo hall, passing by liquid cooling-systems, quantum computing data connectors, petabyte storage arrays, and even specialized forklifts for moving data racks- I’m reminded that many vendors are only just now starting their security journey, and the prospect of having to meet the detailed requirements of S.A.F.E. may feel daunting.

In all my time at Microsoft (and IBM for that matter), I never encountered a device vendor that “nailed security” the first time, nor the third time. Reaching S.A.F.E. approval will be a journey that requires a trusted security partner. When you’re ready for that journey, you’ll not find a stronger and more accomplished or experienced partner than the team at IOActive.

COLLATERAL, RESEARCH | September 20, 2023

Commonalities in Vehicle Vulnerabilities | 2022 Decade Examination | Samantha Beaumont

With the connected car now commonplace in the market, automotive cybersecurity has become the vanguard of importance as it relates to road user safety. At the forefront of transportation cybersecurity research, IOActive has amassed over a decade of real-world vulnerability data illustrating the issues and potential solutions to cybersecurity threats today’s vehicles face.

This analysis is a major update and follow-up to IOActive’s paper on vehicle vulnerabilities originally published in 2016 and updated in 2018. The goal of this 2022 update is to deliver current data and discuss how the state of automotive cybersecurity has progressed over the course of 10 years, making note of overall trends and their causes. The target audience of this research is individuals seeking insights into the trends of automotive cybersecurity, and how to better address any causalities noted within this paper.

Some of the major technical findings from IOActive’s analysis:

  • There was a significant drop in the proportion of critical-impact vulnerabilities from 2016 to 2018. Critical-impact vulnerabilities decreased by 15%, causing the distribution of medium- and low-impact vulnerabilities to increase.
  • The industry saw significant growth in incorporating cybersecurity into the design of automotive systems from the start; for example, ensuring that processes that handle data run with limited privileges, which helps lower the impact of the most likely attacks in the event of a compromise.
  • There was an early warning observed in 2018 that the industry appears to be focusing on severity of ease-of-exploitation over actual risk.
  • A sharp decrease in physical attacks was reported, which was mainly due to industry attention focusing on remote-based attack vectors.
  • The trends observed between 2018 and 2022 are the complete opposite to what IOActive previously observed, which indicates a bounce-back effect. High-effort vulnerabilities have decreased by 6% and medium-effort have decreased by 11%, resulting in a major increase (17%) of low-hanging fruit issues.
get the vehicle security report
COLLATERAL | August 28, 2023

IOActive Silicon Security Services

Our silicon security team helps risk managers, product owners, designers, and cybersecurity professionals understand and manage the emerging risks of silicon-level and hardware-based supply chain attacks. 

IOActive has spent over two decades at the forefront of cybersecurity research and providing critical security services fueled by the research. As the security of systems (and systems of systems) increasingly depends upon proper hardware security design and implementation, we have invested in honing silicon-level attack techniques that complement the advanced expertise we have long developed in identifying the embedded-device, side-channel, and fault-injection attacks. 

Our silicon security services adds black-box and gray-box attacks to our commercial white-box work – which includes development of threat models at the microprocessor and SOC level – supporting clients in defining security design requirements, and performing register transfer level (RTL) and GDS partial layout reviews. 

get the silicon security datasheet
COLLATERAL, WHITEPAPER | August 8, 2023

Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers | Joseph Tartaro, Enrique Nissim, Ethan Shackelford

By Joseph Tartaro Enrique Nissim & Ethan Shackelford

Joseph Tartaro, Principal Security Consultant, Enrique Nissim, Principal Security Consultant, and Ethan Shackelford, Associate Principal Security Consultant, conducted a comprehensive analysis of the security aspects of ShuffleMaster’s Deck Mate 1 (DM1) and Deck Mate 2 (DM2) automated shuffler machines. Primarily used at poker tables, these machines are widely adopted by casinos and cardrooms and are commonly used in private games. While the primary objective of these devices is to enhance game speed by assisting dealers in shuffling, they also ensure security through various deck checks, and their control over the deck renders them highly desirable targets for attackers.

In this whitepaper, the team attempted to answer the following questions:

  • Is cheating possible if one of these hardware devices is compromised?
  • How feasible is it to perform such an attack?
  • What can be done to prevent and/or mitigate the risk of cheating?
  • How can players and gaming operators protect themselves from this kind of cheating?

It is worth noting that no signs of code from the manufacturer performing any malicious or hidden functions were found in either of the audited shufflers. Different groups across the internet have speculated that shufflers contain secret logic that Casinos and/or card rooms could leverage to cheat players or increase house edge. Having thoroughly reverse engineered the entire state machine of the original firmware for both shuffler models, we found no evidence whatsoever that this was the case.

get the whitepaper
INSIGHTS, RESEARCH | June 23, 2023

Back to the Future with Platform Security

By Enrique Nissim Krzysztof Okupski & Joseph Tartaro

Introduction

During our recent talk at HardwearIO (see here, slides here) we described a variety of AMD platform misconfigurations that could lead to critical vulnerabilities, such as:

  • TSEG misconfigurations breaking SMRAM protections
  • SPI controller misconfigurations allowing SPI access from the OS
  • Platform Secure Boot misconfigurations breaking the hardware root-of-trust

Here we are providing a brief overview of essential registers settings and explain how our internally developed tool Platbox (see here) can be used to verify them and ultimately exploit them.

SMM Protections

In a previous blog post about AMD platform security (see here) we explained how forgetting to set a single lock can lead to a complete compromise of System Management Mode (SMM).

To recap, on modern systems SMM lives in a protected memory region called TSEG and four Model Specific Registers (MSRs) need to be configured to guarantee these protections:

  • 0xC0010111 (SMM_BASE; base of SMM code)
  • 0xC0010112 (SMMAddr; defines TSEG base address)
  • 0xC0010113 (SMMMask; defines TSEG limit and TSEG enable bit)
  • 0xC0010015[SmmLock] (HWCR; defines lock of the aforementioned MSRs)

In the following we can see a breakdown of the aforementioned registers using Platbox on the Acer Swift 3 (model no. SF314-42; BIOS v1.10):

As marked in the output, the SMMLock bit in the Hardware Configuration Register (HWCR) hasn’t been set and therefore the TSEG region protections can simply be disabled by a privileged OS attacker by disabling the TValid bit in the SMMMask MSR.

Additionally, to ensure that the SMM code lies within the protected TSEG region, one should also confirm that the SMM base address (stored in the SMM_BASE MSR) lies inside of TSEG.  In most cases the EDK2 framework will ensure that this is the case. It is also interesting to notice that  SMM_BASE is also locked when SMMLock is set, thus preventing relocation attacks.

One additional register that is relevant to the security of SMM is the SMM key register (stored in the SMM_KEY MSR at 0xC0010119; see p630 in [1]). This is a write-only MSR that can be set before SMMLock to create a password-protected mechanism to clear SMMLock later on.

As mentioned in our presentation, while we haven’t found an OEM using this register, we used it as part of an exploit to demonstrate persistence in vulnerable platforms.

SPI Flash Protections

The SPI flash plays an important role in the context of platform security as it is used to store both the UEFI BIOS firmware code and configuration data (e.g. the Secure Boot state).

Architecturally, firmware code should only be modified at boot-time during firmware updates (via signed capsule updates) whereas portions of configuration data can be modified at run-time (in a controlled way via SMM).

To enforce this, the SPI controller-related protections need to be configured accordingly. In the following we will explain the relevant protection mechanisms, both the classic ones and the modern ones that will soon replace them.

Classic Protections

Two classic protection mechanisms exist, referred to as ROM protected ranges and SPI restricted commands, each responsible for preventing different types of accesses (see p445 in [2]).

First, ROM protected ranges apply to direct accesses via memory-mapped IO which, in turn, are automatically translated by the hardware into transactions on the SPI bus.

These ranges are configured via four write-once ROM protect registers (see p440 in [2]):

  • D14F3x050 FCH::ITF::LPC::RomProtect0
  • D14F3x054 FCH::ITF::LPC::RomProtect1
  • D14F3x058 FCH::ITF::LPC::RomProtect2
  • D14F3x05C FCH::ITF::LPC::RomProtect3

As we can see below, each of these registers defines the base address, the size and the access protection (read / write):

At the same time, it is important to enable and lock the ROM protected ranges with the AltSPICS register (see p450 in [2]):

  • SPIx01D FCH::ITF::SPI::AltSPICS[SpiProtectEn0]
  • SPIx01D FCH::ITF::SPI::AltSPICS[SpiProtectEn1]
  • SPIx01D FCH::ITF::SPI::AltSPICS[SpiProtectLock]

However, we observed that although some systems don’t configure these ranges, we haven’t been able to perform writes to the SPI flash using this method neither from the OS nor from SMM.

Second, SPI restricted commands apply to indirect accesses via the SPI controller wherein SPI registers are programmed directly. As part of it, two restricted command registers are configured (see p447-448 in [2]):

  • SPIx004 FCH::ITF::SPI::SPIRestrictedCmd
  • SPIx008 FCH::ITF::SPI::SPIRestrictedCmd2

Each of these registers defines up to four SPI opcodes that are blocked. Again, we can see the breakdown below:

In this example we can see that SPI writes are blocked altogether by restricting the Write Enable (WREN) opcode that needs to be sent before every SPI write operation.

In practice, when SMM code needs to perform a SPI write transaction it will temporarily disable the restricted command registers, perform the write operation and then restore the restricted command registers again.

In case these protections are misconfigured, as we have observed on various systems, a privileged OS attacker can easily exploit this issue. In the following we see a simple proof-of-concept that will patch portions of the SPI flash (see here):

void proof_of_concept()
{
    amd_retrieve_chipset_information(); 


    // Read and print SPI flash portion
    BYTE *mem = (BYTE *)calloc(1, 4096);
    read_from_flash_index_mode(NULL, target_fla, 4096, mem);
    print_memory(0xFD00000000 + target_fla, (char *)mem, 0x100);
  
    // Patch SPI flash
    UINT32 target_fla = 0x00000000;
    const char msg[] = "Dude, there is a hole in my BIOS";
    amd_spi_write_buffer(NULL, target_fla, (BYTE *)msg, strlen(msg));
    

    // Read and print modified SPI flash portion
    read_from_flash_index_mode(NULL, target_fla, 4096, mem);
    print_memory(0xFD00000000 + target_fla, (char *)mem, 0x100);
    free(mem);
}

In short, the code will first print the portion of the flash that is to be patched. It will then patch it, and finally print the modified flash portion again. The amd_spi_write_buffer() API automatically handles reading the affected SPI flash pages, patching them and writing them back.

Modern SPI Protections

On more modern systems we have observed that the aforementioned protection mechanisms are slowly being replaced by a newer technology referred to as ROM Armor.

In essence, ROM Armor is AMD’s equivalent of Intel’s Protected Range Registers (PRRs) and ensures that only whitelisted portions of the SPI flash can be modified at run-time (in a controlled fashion via SMM).

To determine which portions of the SPI flash are whitelisted, we developed a script that parses the PSP directory and extracts the whitelisted regions (see here):

Note that in this case we used an Acer TravelMate P4 (model no. TMP414-41-R854; BIOS v1.08) instead as this technology is only present in most recent systems.

Hardware Root-of-Trust Configurations

Platform Secure Boot (PSB) is AMD’s implementation of a hardware root-of-trust and ensures that initial phases of the UEFI BIOS firmware haven’t been tampered with and is the main line of defense against persistent firmware implants.

PSB is implemented using an embedded chip called the Platform Security Processor (PSP). In order for PSB to be enforced, the UEFI BIOS firmware needs to be built accordingly and the PSB related fuses in the PSP need to be configured.

We’ve found that two registers in particular can be leveraged to determine whether PSB has been enabled correctly:

  • PSB Fuse Register (defines fuse configuration)
  • PSB State Register (defines configuration state)

While the PSB fuse register can be used to determine whether PSB has been enabled and the fuses have been locked, the PSB state register indicates the status of the PSB configuration.

Herein we can see a more detailed breakdown of these registers:

As we can see, the Acer Swift 3 does not properly configure the PSB fuses and the PSB status indicates that an error has occurred.

The following video demonstrates how the ability to write to the SPI flash (via an SMI vulnerability or SPI controller misconfigurations), combined with the lack of PSB, results in a persistent firmware implant.

First, we attempt to read the TSEG region and see that it’s not accessible as it returns FFs only. We therefore patch the firmware with our backdoor inside of it via a vulnerable SMI handler and reset the system:

Next, we attempt to read the TSEG region again and see that the result is the same. However, this time around after disabling the TSEG protections via the SMM_KEY that was configured by our backdoor, we are able to read it out:

Here is the proof-of-concept that leverages the SMM key configured by the backdoor, clears the SmmLock bit in the HWCR register and finally disables TSEG protections (see here):

#define MSR_SMM_KEY     0xC0010119
#define MSR_SMM_KEY_VAL 0x494f414354495645

int main(int argc, char **argv)
{ 
  open_platbox_device();
  
  // Fetching TSEG base address and size
  UINT64 tseg_base = 0;
  UINT32 tseg_size = 0;
  get_tseg_region(&tseg_base, &tseg_size);
  printf("TSEG Base: %08x\n", tseg_base);
  printf("TSEG  End: %08x\n", tseg_base + tseg_size);

  // Reading start of TSEG region
  printf("\nReading TSEG region:\n");
  void *tseg_map = map_physical_memory(tseg_base, PAGE_SIZE);
  print_memory(tseg_base, (char *) tseg_map, 0x100);
  unmap_physical_memory(tseg_map, PAGE_SIZE);
  
  // Disabling TSEG protections using backdoor
  getchar();
  printf("=> Setting SMM Key\n");
  do_write_msr(MSR_SMM_KEY, MSR_SMM_KEY_VAL);

  getchar();
  printf("=> Disabling TSEG protection\n");
  UINT64 tseg_mask = 0;
  do_read_msr(AMD_MSR_SMM_TSEG_MASK, &tseg_mask);
  do_write_msr(AMD_MSR_SMM_TSEG_MASK, tseg_mask & 0xFFFFFFFFFFFFFFFC);

  // Reading start of TSEG region
  getchar();
  printf("\nReading TSEG region:\n");
  tseg_map = map_physical_memory(tseg_base, PAGE_SIZE);
  print_memory(tseg_base, (char *) tseg_map, 0x100);
  unmap_physical_memory(tseg_map, PAGE_SIZE);
  
  close_platbox_device();

  return 0;
}

SMM Supervisor OEM Policies

The SMM Supervisor is AMD’s approach at deprivileging and isolating SMI handlers. When implemented, SMI handlers need to go through an enforcement module to gain access to MSRs and IO registers. Additionally, paging is added which limits their access to arbitrary system memory. Everytime an SMI attempts to access these privileged resources, an OEM policy is checked to see if they can have access or not. 

OEM policies live within the Freeform Blob called SmmSupvBin with the GUID {83E1F409-21A3-491D-A415B163A153776D}.  The policy contains multiple types of entries:

  • Memory
  • IO Register
  • MSR
  • Instruction
  • SaveState

A small utility is available in the Platbox repository (see here). This utility will attempt to parse UEFI images and extract the policy, or if you provide a raw policy format that has been previously extracted it will print the details.

For example, this is a section of an OEM policy which is specifically restricting IO Register Write access to the IO Registers 0xCF8 and 0xCFC, thus specifically restricting access to PCI configuration space. We believe that this will come in handy in the future to perform baseline comparisons against OEM policies across various platforms. It gives researchers the ability to quickly see if an OEM failed to restrict a specific MSR or IO Register which may aid an attacker.

Resources

[1] AMD64 Architecture Programmer’s Manual, Volume 2: System Programming
[2] Processor Programming Reference (PPR) for AMD Family 17h Model 20h, Revision A1 Processors

INSIGHTS, RESEARCH | June 13, 2023

Applying Fault Injection to the Firmware Update Process of a Drone

By IOActive

IOActive recently published a whitepaper (https://ioac.tv/3N005Bn) covering the current security posture of the drone industry. IOActive has been researching the possibility of using non-invasive techniques, such as electromagnetic (EM) side-channel attacks or EM fault injection (EMFI), to achieve code execution on a commercially available drone with significant security features. For this work, we chose one of the most popular drone models, DJI’s Mavic Pro. DJI is a seasoned manufacturer that emphasizes security in their products with features such as signed and encrypted firmware, Trusted Execution Environment (TEE), and Secure Boot.

Attack Surface

Drones are used in variety of applications, including military, commercial, and recreational. Like any other technology, drones are vulnerable to various types of attacks that can compromise their functionality and safety. 

As illustrated above, drones expose several attack surfaces: (1) backend, (2) mobile apps, (3) radio frequency (RF) communication, and (4) physical device.

As detailed in the whitepaper (https://ioac.tv/3N005Bn), IOActive used EM emanations and EMFI due to their non-invasive nature. We leveraged Riscure products as the main tools for this research.

The image below show the PCB under analysis after being removed from the drone; power has been connected to an external power supply.

First Approach

Our first approach was to attempt to retrieve the encryption key using EM emanations and decrypting the firmware. We started by finding an area on the drone’s PCB with a strong EM signal so we could place a probe and record enough traces to extract the key.

After identifying the location with strongest signal, we worked on understanding how to bypass the signature verification that takes place before the firmware is decrypted. After several days of testing and data analysis, we found that the probability of successful signature bypass was less than 0.5%. This rendered key recovery unfeasible, since it would have required us to collect the tens of thousands of traces.

Second Approach

Our second approach was to use EMFI based on the ideas published by Riscure (https://www.riscure.com/publication/controlling-pc-arm-using-fault-injection). Riscure proposes using a glitch to cause one instruction to transform into another and gain control of, for example, the PC register. The following image shows the setup we used for this approach, which included a laptop (used as a controller), a power supply, Riscure’s Spider (used to generate the trigger), an oscilloscope, an XYZ table, and the EMFI pulse-generator.

After identifying a small enough area on the PCB, we modified the glitch’s shape and timing until we observed a successful result. The targeted process crashed, as shown below:  

Our payload appeared in several registers. After examining the code at the target address, we determined that we had hit a winning combination of timing, position, and glitch shape. The following capture shows the instruction where a segmentation error took place:

The capture clearly shows a load instruction copying our data to registers R0 and R1. In addition, the GDB output also shows that registers R3 and R4 ended up with controlled data. Further details can be found in the whitepaper (https://ioac.tv/3N005Bn).

Having successfully caused memory corruption, the next step would be to design a proper payload that achieves code execution. An attacker could use such an exploit to fully control one device, leak all sensitive content, enable ADB access, and potentially leak the encryption keys.

Disclosure Timeline

The DJI team response was excellent, fast and supportive.

2023-04-04: Initial Contact with DJI including sharing report.
2023-05-04: DJI agrees on publication date.

RESEARCH |

Drone Security and Fault Injection Attacks | Gabriel Gonzalez | IOActive Labs Blog

By Gabriel Gonzalez

I recently published the full technical details to the research in this IOActive whitepaper.

The use of Unmanned Aerial Vehicles (UAVs), commonly referred to as drones, continues to grow. Drones implement varying levels of security, with more advanced modules being resistant to typical embedded device attacks. IOActive’s interest is in developing one or more viable Fault Injection attacks against hardened UAVs.

IOActive has been researching the possibility of achieving code execution on a commercially available drone with significant security features using non-invasive techniques, such as electromagnetic (EM) side-channel attacks or EM fault injection (EMFI). For this work, we chose one of the most common drone models, DJI’s Mavic Pro. DJI is a well established manufacturer that emphasizes security in their products, such as signed and encrypted firmware, Trusted Execution Environment (TEE), and Secure Boot.

Read the IOActive Labs’ Blog
WHITEPAPER |

Drone Security and Fault Injection Attacks | Gabriel Gonzalez

By Gabriel Gonzalez

Gabriel Gonzalez, IOActive Director of Hardware Security presents full technical detail of his research into drone security and side-channel/fault injection attacks in this whitepaper.

The use of Unmanned Aerial Vehicles (UAVs), commonly referred to as drones, continues to grow. Drones implement varying levels of security, with more advanced modules being resistant to typical embedded device attacks. IOActive’s interest is in developing one or more viable Fault Injection attacks against hardened UAVs.

This paper covers IOActive’s work in setting up a platform for launching side-channel and fault injection attacks using a commercially available UAV. We describe how we developed a threat model, selected a preliminary target, and prepared the components for attack, as well as discussing what we hoped to achieve and the final result of the project.

Get the Whitepaper
INSIGHTS, RESEARCH | February 16, 2023

Adventures in the Platform Security Coordinated Disclosure Circus

By Enrique Nissim Krzysztof Okupski & Joseph Tartaro

Platform security is one of the specialized service lines IOActive offers and we have worked with many vendors across the industry. Lately, we have been conducting research on various targets while developing tooling that we believe will help the industry make platform security improvements focused on AMD systems.

SecSMIFlash

In early October 2022, IOActive reported a number of security issues to ASUS and AMI in an SMM module called SecSMIFlash (GUID 3370A4BD-8C23-4565-A2A2-065FEEDE6080). SecSMIFlash is included in BIOS image G513QR.329 for the ASUS Rog Strix G513QR. This module garnered some attention after Alexander Matrosov (BlackHat USA 2017) demonstrated how the SMI handlers failed to check input pointers with SmmIsBufferOutsideSmmValid(), resulting in CVE-2017-11315. 

IOActive discovered issues on one of our target platforms, a fully updated ASUS Rog Strix G513QR, while running an internally developed dumb SW SMI fuzzer. Almost immediately, the system appeared to hang on SMI handler 0x1D.

This module registers a single SW SMI handler for three different SwSmiInputs (0x1D, 0x1E, 0x1F) via EFI_SMM_SW_DISPATCH2_PROTOCOL:

Based on public information about this module, the above operations map to:

– 0x1D – LOAD_IMAGE

– 0x1E – GET_POLICY

– 0x1F – SET_POLICY

The handler uses EFI_MM_CPU_PROTOCOL to read the contents of the saved ECX and EBX registers and create a 64-bit pointer. This constructed buffer is verified to be exactly 8 bytes long and outside SMRAM using AMI_SMM_BUFFER_VALIDATION_PROTOCOL:

Depending on the value written on the SW-SMI triggering port (SwSmiInput), the execution continues in handle_load_image (0x1D), handle_get_policy (0x1E), or handle_set_policy (0x1F). These three functions receive a single argument which is the constructed pointer from the previous step:

The three operations have security issues.

Let’s start with handle_load_image. As part of its initialization, SecSMIFlash allocates 0x1001 pages of memory (g_pBufferImage) that are going to be used to store the BIOS image file.

The buffer address is put into RBX and then validated again but this time it checks that the size is at least 0x18 bytes (outside SMRAM).

The buffer is used as a record defined as follows:

typedef struct {
  /* 0x00 */  void * user_buffer;
  /* 0x08 */  unsigned int user_offset;
  /* 0x0C */  unsigned int user_buffer_size;
  /* 0x10 */  unsigned int status;
  /* 0x14 */  unsigned int unk;
} lp_record;

Another pointer is extracted from memory (the user_buffer member), which is validated to be user_buffer_size bytes, followed by a check that attempts to make sure that the provided offset and size are within the allocated bounds of g_pBufferImage.

The problem is that there is a time-of-check to time-of-use (TOCTOU) condition that can be abused:

The block of code that performs the checks does not make local copies of the values into SMRAM. The values are retrieved again from user-controlled memory when the copy is done, which means the values could have changed.

Exploitation of this issue requires the use of a DMA agent.

In the case of the handle_get_policy operation, the code presents a vulnerability in the first basic block:

Previously, the buffer was verified to only 8 bytes outside SMRAM, but here the code writes the value 1 at offset +102h and the ValidateMemoryBuffer check happens afterwards. Moreover, if ValidateMemoryBuffer fails, the handler simply bails out without doing anything else.

This out-of-bounds write condition allows the first 250 bytes (102h – 8) of the TSEG region to be written. The bottom of the TSEG region contains the SMM_S3_RESUME_STATE structure:

There are several EFI_PHYSICAL_ADDRESS pointers that could be targeted to achieve arbitrary SMM code execution.

The following PoC code uses Platbox and the above primitive to write ones to the first 250 bytes of the TSEG region (0xef000000 in the machine used for testing):

Finally, for the handle_set_policy operation, the code suffers from a combination of the issues described above.

Responsible Disclosure Attempt

IOActive drafted a technical document and sent it over to ASUS. After a few weeks, ASUS replied with the following:

The response left us with some concerns:

1. They claimed all the reported issues were known by the team.
2. There was no ETA for the patch.
3. The issues were discovered by Intel and there was an embargo?
4. Is there a CVE assigned to track these?

We replied with a few questions along these lines and their response made it clear that the module is entirely handled by AMI and that Intel researchers may or may not apply a CVE number.

On the other hand, AMI provided a much quicker response, although quite unexpected:

Thursday, February 16, 2023

Adventures in the Platform Security Coordinated Disclosure Circus

 by Enrique NissimKrzysztof Okupski and Joseph Tartaro

Platform security is one of the specialized service lines IOActive offers and we have worked with many vendors across the industry. Lately, we have been conducting research on various targets while developing tooling that we believe will help the industry make platform security improvements focused on AMD systems.

SecSMIFlash

In early October 2022, IOActive reported a number of security issues to ASUS and AMI in an SMM module called SecSMIFlash (GUID 3370A4BD-8C23-4565-A2A2-065FEEDE6080). SecSMIFlash is included in BIOS image G513QR.329 for the ASUS Rog Strix G513QR. This module garnered some attention after Alexander Matrosov (BlackHat USA 2017) demonstrated how the SMI handlers failed to check input pointers with SmmIsBufferOutsideSmmValid(), resulting in CVE-2017-11315. 

IOActive discovered issues on one of our target platforms, a fully updated ASUS Rog Strix G513QR, while running an internally developed dumb SW SMI fuzzer. Almost immediately, the system appeared to hang on SMI handler 0x1D.

This module registers a single SW SMI handler for three different SwSmiInputs (0x1D, 0x1E, 0x1F) via EFI_SMM_SW_DISPATCH2_PROTOCOL:

Based on public information about this module, the above operations map to:

– 0x1D – LOAD_IMAGE

– 0x1E – GET_POLICY

– 0x1F – SET_POLICY

The handler uses EFI_MM_CPU_PROTOCOL to read the contents of the saved ECX and EBX registers and create a 64-bit pointer. This constructed buffer is verified to be exactly 8 bytes long and outside SMRAM using AMI_SMM_BUFFER_VALIDATION_PROTOCOL:

Depending on the value written on the SW-SMI triggering port (SwSmiInput), the execution continues in handle_load_image (0x1D), handle_get_policy (0x1E), or handle_set_policy (0x1F). These three functions receive a single argument which is the constructed pointer from the previous step:

The three operations have security issues.

Let’s start with handle_load_image. As part of its initialization, SecSMIFlash allocates 0x1001 pages of memory (g_pBufferImage) that are going to be used to store the BIOS image file.

The buffer address is put into RBX and then validated again but this time it checks that the size is at least 0x18 bytes (outside SMRAM).

The buffer is used as a record defined as follows:

typedef struct {  /* 0x00 */  void * user_buffer;  /* 0x08 */  unsigned int user_offset;  /* 0x0C */  unsigned int user_buffer_size;  /* 0x10 */  unsigned int status;  /* 0x14 */  unsigned int unk;} lp_record;

Another pointer is extracted from memory (the user_buffer member), which is validated to be user_buffer_size bytes, followed by a check that attempts to make sure that the provided offset and size are within the allocated bounds of g_pBufferImage.

The problem is that there is a time-of-check to time-of-use (TOCTOU) condition that can be abused:

The block of code that performs the checks does not make local copies of the values into SMRAM. The values are retrieved again from user-controlled memory when the copy is done, which means the values could have changed.

Exploitation of this issue requires the use of a DMA agent.

In the case of the handle_get_policy operation, the code presents a vulnerability in the first basic block:

Previously, the buffer was verified to only 8 bytes outside SMRAM, but here the code writes the value 1 at offset +102h and the ValidateMemoryBuffer check happens afterwards. Moreover, if ValidateMemoryBuffer fails, the handler simply bails out without doing anything else.

This out-of-bounds write condition allows the first 250 bytes (102h – 8) of the TSEG region to be written. The bottom of the TSEG region contains the SMM_S3_RESUME_STATE structure:

There are several EFI_PHYSICAL_ADDRESS pointers that could be targeted to achieve arbitrary SMM code execution.

The following PoC code uses Platbox and the above primitive to write ones to the first 250 bytes of the TSEG region (0xef000000 in the machine used for testing):

Finally, for the handle_set_policy operation, the code suffers from a combination of the issues described above.

Responsible Disclosure Attempt

IOActive drafted a technical document and sent it over to ASUS. After a few weeks, ASUS replied with the following:

The response left us with some concerns:

1. They claimed all the reported issues were known by the team.

2. There was no ETA for the patch.

3. The issues were discovered by Intel and there was an embargo?

4. Is there a CVE assigned to track these?

We replied with a few questions along these lines and their response made it clear that the module is entirely handled by AMI and that Intel researchers may or may not apply a CVE number.

On the other hand, AMI provided a much quicker response, although quite unexpected:

We attempted to look for advisory SA50121 but did not find anything. It is probably only available to vendors. What is surprising though, is they say that a fix was released in June.

SMIFlash

At this point, we decided to look at the other related module Alex Matrosov’s presentation: SMIFlash.efi. SMIFlash (GUID BC327DBD-B982-4F55-9F79-056AD7E987C5) is one of the SMM modules included in BIOS image G513QR.330 for the ASUS Rog Strix G513QR. The module installs six SW-SMI handlers that are prone to double fetches (TOCTOU) that, if successfully exploited, could be leveraged to execute arbitrary code in System Management Mode (ring-2).

There are two public CVEs related to this module from 2017: 

CVE-2017-3753 states that the module lacks proper input pointer sanitization and only mentions Lenovo as affected; however, this module is also part of our target ASUS Rog Strix BIOS, and after a bit of reverse engineering, we were able to identify three race conditions (TOCTOU) with different levels of impact. 

This module registers a single SW-SMI handler for six different SwSmiInputs (0x20, 0x21, 0x22, 0x23, 0x24, and 0x25) via EFI_SMM_SW_DISPATCH2_PROTOCOL:

Based on public information about this module, the above operations map to:

– 0x20 – ENABLE
– 0x21 – READ
– 0x22 – ERASE
– 0x23 – WRITE
– 0x24 – DISABLE
– 0x25 – GET_INFO

The handler uses EFI_MM_CPU_PROTOCOL to read the content of the saved ECX and EBX registers and create a 64-bit pointer. For all operations except for GET_INFO, this constructed address is verified to be exactly 18h bytes outside SMRAM using AMI_SMM_BUFFER_VALIDATION_PROTOCOL. 18h is therefore the size of the basic input record this module needs to work with. Reverse engineering the structure led to the following layout:

Depending on the value written on the SW-SMI triggering port (SwSmiInput), the execution continues in one of the previously listed operations (ENABLE, READ, WRITE, etc.). 

The READ and WRITE operations receive the pointer to the record as an argument and both are prone to the same TOCTOU vulnerabilities. Let’s look at the READ implementation:

RCX holds the controlled pointer and is copied into RBX. The function starts by checking that the flash_addr value falls within the intended flash range MMIO (0xFF000000-0xFFFFFFFF). It continues by using AMI_SMM_BUFFER_VALIDATION_PROTOCOL to ensure that the buffer_data pointer resides outside SMRAM. This is interesting because the reported issues in CVE-2017-3753 and CVE-2017-11316 seem to be related to the lack of validation over the input parameters. If the input pointers are not properly verified using SmmIsBufferOutsideSmmValid() (in this case ValidateMemoryBuffer()), an attacker can pass a pointer with an SMRAM address value and have the ability to read and/or write to SMRAM. In our current version, this is not the case and we can see verification is there.

Nevertheless, the code is retrieving the values from memory twice for all three members (flash_addr, size, and buffer_data). This means that the checked values do not necessarily correspond to the ones being passed to the FlashDriverSmm module. This is a race condition that an attacker can exploit through a DMA attack. Such an attack can easily be performed with a custom PCI device (e.g. PciLeech – https://github.com/ufrisk/pcileech).

Winning the race for the READ operation leads to writing to SMRAM with values retrieved from flash; however, by disabling the Flash with the DISABLE operation first, the underlying implementation of FLASH_SMM_PROTOCOL (which resides in the FlashDriverSmm module), will use a simple memcpy to fulfill the request:


This is interesting because it provides an easier way to control all the bytes being copied.

The WRITE operation has the exact same condition, although in this case, winning the race means leaking content from SMRAM into the Flash:


In summary, for both cases, the block of code performing the checks does not make local copies of the values into SMRAM. The values are retrieved again from user-controlled memory when they are about to be used, which means the values could have changed.

The GET_INFO (0x25) operation is affected by the same condition, although in a different way. In this case, as soon as the user pointer is constructed, the code verifies it is at least 1Ah bytes outside of SMRAM. Then, it retrieves the value of the first dword and uses it to further check the length of the provided region:

The reversed engineered structure looks as follows:

The code continues by calling into a function that allocates 905Bh bytes of SMRAM and attempts to copy the data into it. RBX is the pointer to the record, and the double-fetch is clear:

The code is trying to enforce 905Bh bytes as an upper limit for the copy but because the memory is fetched twice, the value could have changed after the check passed. As a result, SMRAM will be corrupted.

Responsible Disclosure Attempt

Q4 is always busy, and as a consequence, our team did not immediately report these issues to ASUS or AMI. Instead, four months passed since our initial report on SecSMIFlash.efi. On February 2 2023, after verifying the issues were still present in the latest available BIOS for our target ASUS laptop, we documented the findings and reported them to AMI.

This time AMI’s response only took two hours:

The CERT link was very helpful because it allowed us to better understand the full picture. The most important sections of the vulnerability note are reproduced below:

Multiple race conditions due to TOCTOU flaws in various UEFI Implementations

Vulnerability Note VU#434994

Original Release Date: 2022-11-08 | Last Revised: 2023-01-25

Overview
Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks.

Description
The UEFI standard provides an open specification that defines a software interface between an operating system (OS) and the device hardware on the system. UEFI can interface directly with hardware below the OS using SMM, a high-privilege CPU mode. SMM operations are closely managed by the CPU using a dedicated portion of memory called the SMRAM. The SMM can only be entered through System Management Interrupt (SMI) Handlers using a communication buffer. SMI Handlers are essentially a system-call to access the CPU’s SMRAM from its current operating mode, typically Protected Mode.

A race condition involving the access and validation of the SMRAM can be achieved using DMA timing attacks that rely on time-of-use (TOCTOU) conditions. An attacker can use well-timed probing to try and overwrite the contents of SMRAM with arbitrary data, leading to attacker code being executed with the same elevated-privileges available to the CPU (i.e., Ring -2 mode). The asynchronous nature of SMRAM access via DMA controllers enables the attacker to perform such unauthorized access and bypass the verifications normally provided by the SMI Handler API.

The Intel-VT and Intel VT-d technologies provide some protection against DMA attacks using Input-Output Memory Management Unit (IOMMU) to address DMA threats. Although IOMMU can protect from DMA hardware attacks, SMI Handlers vulnerable to RingHopper may still be abused. SMRAM verification involving validation of nested pointers adds even more complexity when analyzing how various SMI Handlers are used in UEFI.

Impact
An attacker with either local or remote administrative privileges can exploit DMA timing attacks to elevate privileges beyond the operating system and execute arbitrary code in SMM mode (Ring -2). These attacks can be invoked from the OS using vulnerable SMI Handlers. In some cases, the vulnerabilities can be triggered in the UEFI early boot phases (as well as sleep and recovery) before the operating system is fully initialized.

[..]

Acknowledgements
Thanks to the Intel iStare researchers Jonathan Lusky and Benny Zeltser who discovered and reported this vulnerability.


It is notable that there is no mention of SecSMIFlash.efi or SMIFlash.efi, and the information provided is quite generic. Nevertheless, we can see that the original release date matches what ASUS first said. It is also interesting that the vulnerability was last updated only a few days ago (Dell latest update). Additionally, the description refers to “RingHopper attacks” and mentions the Intel researchers that reported the issues.

These pieces of information immediately led to the following tweet

Although we cannot be certain that they reported the exact same issues that we attempted to report, it does seem these two researchers documented findings on these modules before our team. It appears that the vulnerabilities were assigned CVE-2021-33164.

On November 16, 2022, Benny Zeltser tweeted that they had to withdraw the presentation from BlackHat USA and DefCon because the issues were not yet fixed. This suggests that a lot of the affected vendors have not been able to produce a new BIOS image, including the fixed modules. Indeed, from the list of vendors shown in the CERT vulnerability note, only AMI, Dell, HPE, Insyde, and Intel are marked as “affected.” We can now confirm that ASUSTeK is also affected.

Conclusion

Responsible coordinated disclosure in the platform security space is a bit of a circus. This issue was highlighted by Matrosov himself in his 2022 presentation at OffensiveCon.

ASUS mentioned an embargo that, to the best of our knowledge, expired on November 2, 2022. When reading the CERT link from AMI, all reported vendors reference CVE-2021-33164, specifically calling out issues on Intel NUCs and mentioning that the patches were released back in June of 2022. When analyzing the affected vendors list on the CERT page, you will find that all vendors noted as affected have released patches as of February 3, 2023. All vendors listed as unknown, or in our case ASUS, have yet to release patches but have been well aware of the vulnerabilities and the reports based on the communication we had with them. 

IOActive has decided to publish the technical details about these issues after understanding that AMI released patches back in mid-2022 and that no new information was provided by us in our report of both modules. In addition, the CVE was filed back in 2021 and all vendors appear to have had more than enough time to responsibly patch and disclose these issues to consumers.

The CERT advisory refers to these threats as RingHopper attacks. The abstract of a presentation about RingHopper suggests billions of devices are affected by these issues. Our efforts to report these vulnerabilities to vendors stopped with the replies that they were already aware of these issues and have remedies in place. The fact that some vendors appear to still be vulnerable at this time is surprising. Ultimately, we feel it’s more important to shed light on this in order to get the issues fixed on those platforms that appear to be delayed, instead of leaving consumers and the industry in the dark for such an extended period of time.