In Nvidia Shield, two problems were detected in the bootloader (manufacturer's bulletin ). In one case, operation with the execution of arbitrary code is possible. The second vulnerability allows you to replace the boot image, thus gaining full control over the device. Both vulnerabilities are closed in firmware for Shield version 8.0.1.
Hardware backdoors, real and imaginary
Last October, Bloomberg Businessweek published an article describing an implant on SuperMicro motherboards that could remotely control a server and steal data. The companies mentioned in the article (SuperMicro itself, as well as Apple and Amazon), denied both the fact of the implant detection and the events mentioned in the material. This material by Bloomberg became a textbook example of a bad investigation in the field of information security: anonymous sources and a minimum of technical details.
The fact that this incident was most likely invented does not mean that there is no theoretical possibility of such attacks. Last week, Wired magazine talked about research by specialist Monta Elkins. Elkins purchased the Cisco ASA 5505 firewall (the model was chosen solely for reasons of minimum price) and soldered the ATtiny85 chip to the device board. The cost of the chip is two dollars, and a total of 200 was spent on the modification, most of it was spent on the soldering station. The chip was able to be installed so that at the first boot after turning on the device, its settings change and open remote access.
In December 2018, a similar proof of concept was revealed by researcher Trammell Hudson. A detailed description of PoC and a detailed commentary on the Bloomberg article are available here . Hudson implemented a scenario that is closer to the one described in general terms in the article: the implant is installed on the SuperMicro server motherboard and communicates with the Baseboard Management Controller. The video below shows how the implant communicates with BMC and executes arbitrary code. But in this case, this is really a demonstration, without any consequences for the potential owner of the board, and even working every other time (or, according to Hudson himself, “rather 1 time out of 80”).
Hudson comes to the following conclusions: yes, the introduction of a hardware backdoor on modern server hardware is theoretically possible. No, this does not confirm the story of Bloomberg. Both researchers admit that software attacks offer the same capabilities as hardware backdoors, but with much less labor. The only theoretical advantage of the backdoor is secrecy, and here Hudson offers maximum development transparency as a solution: if the device diagrams, parts list and controller code are published, it will be more difficult to implement a backdoor at the iron level. In any case, it’s as difficult to check the hardware compliance with the vendor’s promises as it is to implement unwanted functionality.
For a long time we did not have vulnerabilities in routers. Fortinet specialists found ( news , research ) a serious problem in the D-Link devices (models DIR-655, DIR-866L, DIR-652, DHP-1565). An error in the router code leads to the execution of commands through the web interface without authorization. The manufacturer refused to release the update and close the vulnerability: the D-Link approach involves the release of patches only for a certain time after the release of the device. All affected models (DIR-655 released about 10 years ago) are considered obsolete.
Disclaimer: The opinions expressed in this digest may not coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.