The lack of hardware security¶
The computers that we use seem to be build with inherently insecure hardware. Occasionally I consider my laptop somewhat secure. It runs Linux, has all the latest security updates and am careful when installing software. Also I do not let other people use it without me watching very carefully. However, there are so many things that can get you “owned”, that is become insecure and your system taken over.
The “normal” software side of things is somewhat understood. I mean one knows that just randomly installing software can bring you into trouble. Current example are the encryption trojans which are distributed in ZIP files or Microsoft Office documents. All those are things where a proper backup and a fresh installation of your operating system should help. Software can be nasty, but at least you can start off fresh with a clean installation.
Hardware with infected firmware is quite a different beast. In the end, this is also software, but it resides in the various pieces of your computer.
UEFI / BIOS¶
The fundamental piece in a computer is the UEFI or its predecessor, the BIOS. This has the ultimate control over the hardware in the first phases of booting and then hands this over to the operating system. You can get updates for it, but that is always a real nightmare.
The ASUS story¶
In my tower I have an ASUS mainboard. There is some horrible Windows software included with it, I have installed it in order to control the fan speeds. I once got a notification about a new version of the UEFI firmware. Well, I have then downloaded it. To my shock, the download went over plain HTTP. Seriously, this is the firmware of the most fundamental part which has more control over the system than the Linux or Windows running on it. My Linux updates are signed with GnuPG. The Windows updates are signed by Microsoft. But the firmware update is neither signed nor protected in the download. I am not a lawyer, but to me this sounds like “negligence” or even “gross negligence”.
So then I have contacted ASUS and somehow ended up with the department in South Africa. My email:
I have just updated the BIOS firmware of my Asus mainboard using a USB Thumbdrive. The download of the firmware from the Asus website was over an unencrypted HTTP connection. That means that any attacker on the network or ISP level could just give me a different download. Since the BIOS is at such a low level, malware implanted at this level would be able to do great harm.
So I ask you to offer the BIOS firmware downloads over an HTTPS connection.
Unfortunatly the only place where I can recommend that you download the BIOS updates is from the Asus support page for your device, I cannot recommend downloding the updates from another page and the support page is the place where the updates are posted.
And of course I got back to them:
I am not sure that you really understood my point. Downloading the updates from a third-party site is insane. On a third-party site you have no idea what kind of stuff they put into the installer.
What I am talking about is the security of downloads from your official ASUS website! On your website, the download is run over HTTP which is not encrypted and unverified and therefore insecure by default. Any man-in-the-middle could easily exchange the downloaded BIOS update with a file of his choosing. This man-in-the-middle could be my ISP (internet service provider), compromised firmware in my router or even the government somewhere.
So please change your downloads to HTTPS and deliver the BIOS updates securely to your customers. Otherwise it is too easy to implant malware in your customer’s ASUS mainboard when they update them.
I never got a reply on that email. To me this means this got buried in the first level of support, nobody has a clue what is going on there. And in case they do have a clue, they do not want to talk about it.
My conclusion is that a manufacturer of consumer mainboards does not really care about the security of my mainboard. With enough preparation time it would be a piece of cake for somebody with control over my internet at home (ISP, government) to infect the update with malware. I made sure to download it at home and not over a wireless network in a coffee shop but this still makes me feel uneasy.
One could argue that the government has the power to demand a valid HTTPS certificate to perform a non-detectable man-in-the-middle attack on people performing that firmware upgrade. Still, I do not really see the point of not serving the updates over HTTPS today.
The update process itself went via a USB thumbdrive in a special USB slot on the mainboard. This is nice as it prevents accidental flashing from some USB drive when it is used in a different slot.
The Lenovo story¶
I upgraded the firmware on my ThinkPad as well. There the download happened over HTTP as well. Since my laptop did not wake up from suspend at the time, I did not really care that much any more.
The installation was done using a 16-Bit DOS booting from CD or alternatively using something that just prepared the flashing from within Windows. At least there is an option in the UEFI setup to disable flashing, so should not need to fear malicious flashing in the background.
Another source of insecurities are USB devices. The term is “Bad USB”, the replacing of the firmware on the USB controller. Then those devices behave differently. One graphical example is a keyboard where the firmware was changed such that one can play snake on it. Or just look at the video directly.
This is frightening as I am certain that a keylogger could be implemented as well. I would do it like this: Filter all the keystrokes and then record 16-digits numbers (credit card numbers) and the context to get the billing address. Also record everything around using Tab and Enter, that is likely a username/password combination right there. Using a special key combination, the firmware will present itself also as a storage device containing text files with the filtered contents. This way you can “lend” the keyboard to the victim and then later on retrieve the data.
Even worse one could try a remote extraction of the data. When the keyboard is
certain that the currently focused window is a web browser (perhaps by waiting
www. or so), it could just continue typing
example.com/extract.php?payload=... and then hit Enter. One should
perhaps this a bit, but I think it can certainly be damaging.
One keyboard I was going to buy is the Ducky Mini. This has an ARM Chip on it, so one can run quite a bit of software on it. From the website you can also download software upgrades. They are installers that you run on Windows, they will then flash the keyboard with the update. Now I wondered what prevents an attacker from flashing my keyboard while I use it on an untrusted computer? This means that I can only use my keyboard at home. And if I ever happen to use it on an untrusted computer, I can basically throw it away.
Since I am a keyboard enthusiast, I would really like to have my own high-quality mechanical keyboard at work, too. This is a bit hard with most IT departments as they do not allow any foreign hardware due to exactly those security problems.
So I contacted the manufacturer in Taiwan hoping for some clarification:
I am very interested in the Ducky Mini. Since most employers only supply cheap keyboards, I would like to buy a small mechanical keyboard to use at work and for contracting work.
The power of the ARM chip sounds awesome, but the ability to install firmware updates sounds to me that one could also install malware on the keyboard and turn it into a keylogger.
Are there any protections in place to prevent such things?
Is there anything I could show to the IT department of my employer to certify that it is safe to use at company computers?
Their answer was, as expected, besides the point:
We do not provide software for Ducky Mini. The firmware only can update the keyboard.
It will not install any malware.
I do not get the first sentence. The second and third ones tell that their firmware does not do anything bad. Sure, I believe that. But they do not get the point either.
My next keyboard will be the keyboard.io. This is based on the Arduino, which allows even more tinkering compared to some ARM chip. However, it has a crucial feature: a dip-switch to enable/disable firmware flashing. So there I know that somebody has actually thought about the problematic and designed a solution for it. When disabling the update, I should be fine to use it on any PC because it cannot become infected via the update mechanism.
If you buy your hardware anonymously in some store, one could hope that it is not infected with some attack tailored to you. However, when you order online, one could target an attack.
Same goes with the warranty, if you ever need it. There is no way that you can be sure that the firmware on the device has not been altered when you get the device back.
I have the impression that you are dead in the waters regarding security. At least if you are a consumer. For companies, I fear that it is not much better. Since they usually buy their computers in bulk and have much less diversity in their hardware, it should be easier to keep the hardware secure. Not allowing employees to bring in their own hardware is a good step forward, although I’d really like to have a good keyboard.
With the hardware situation in mind, it still makes sense to keep the software you run save. However, the trust one can put into an average laptop after it has been used for anything is somewhat limited.