{{Header}} {{#seo: |description=Firmware Security and Updating Issues |image=Firmwareupdate.jpg }} {{boot_firmware}} [[File:Firmwareupdate.jpg|thumb]] {{intro| Firmware Security and Updating Issues }} = Introduction = {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = This chapter contains general security advice and is unspecific to {{project_name_long}}. }} Due to the difficulty of this topic and the specificity of hardware and host OS firmware, this issue is generally outside the scope of {{project_name_short}} documentation. The links provided further below may not be the most relevant to the end user, necessitating further individual research. = Firmware on Personal Computers = Firmware is generally defined as the type of software that provides control, monitoring and data manipulation of engineered products. https://en.wikipedia.org/wiki/Firmware In the case of computers, firmware is held in non-volatile memory devices such as [https://en.wikipedia.org/wiki/Read-only_memory ROM], [https://en.wikipedia.org/wiki/Eprom EPROM] or [https://en.wikipedia.org/wiki/Flash_memory flash memory] and is associated with: https://en.wikipedia.org/wiki/Firmware#Computers https://en.wikipedia.org/wiki/Firmware#Other_examples https://www.darkreading.com/intel/raising-the-stakes-when-software-attacks-hardware https://www.fsf.org/campaigns/priority-projects/hardware-firmware-drivers
Supply chain attacks can happen when hackers gain access to a software company's infrastructure—development environment, build servers, update servers, etc.—and are able to inject malware into new software releases or security updates.A recent example of malware that successfully targeted computer firmware is the late-2018 "Operation ShadowHammer" attack, which affected an estimated half a million Windows users utilizing ASUS hardware. In this case, the [https://www.shouldiremoveit.com/ASUS-Live-Update-5823-program.aspx ASUS Live Update Utility] -- which is responsible for automatically updating components like BIOS, UEFI, drivers, and applications -- was compromised. It was discovered that the backdoored utility actually targeted the MAC addresses of a few hundred users, which were actually hard-coded into the trojan samples analyzed. The implication is that an advanced nation state attacker was willing to infect an untold number of innocent users for their targeted operations on a far smaller subset. https://securelist.com/operation-shadowhammer/89992/ This sophisticated supply chain attack involved several steps: https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers * The ASUS server which served the live update tool was compromised. * The malicious file was signed with ''legitimate'' ASUS digital certificates so the software appeared genuine. Reinforcing the notion that digital certificates are an imperfect security mechanism. The file was actually a three-year-old binary containing harmful code. * Users downloaded the malicious, backdoored utility through the ASUS update server. * The trojan utility searched for targets using a set of unique MAC addresses. MD5 hash values were hard-coded and found to correspond to unique MAC addresses for network adapter cards. This indicates the attackers knew the MAC addresses of their targets in advance. * Once located, a command-and-control server under the attacker's control installed additional malware on the machine. Another relatively recent example concerns backdoors that were built into Android mobile firmware in 2017. In this case, Google researchers confirmed the advanced backdoors were preinstalled on devices before they left manufacturer factories: https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/
Triada first came to light in 2016 in articles published by Kaspersky [https://www.kaspersky.com/blog/triada-trojan/11481/ here] and [https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/ here], the first of which said the malware was "one of the most advanced mobile Trojans" the security firm's analysts had ever encountered. Once installed, Triada's chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS' all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers. In July 2017, security firm Dr. Web reported that its researchers had found Triada [https://news.drweb.com/show/?i=11390&lng=en built into the firmware of several Android devices], including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn't be deleted using standard methods, the report said.This malicious Android firmware was primarily adware and focused on allowing code to be injected into the system user interface to display advertisements, the downloading and installation of applications of the attackers' choice, and encrypted communications with command and control servers. Nevertheless, it further demonstrates the weaknesses that exist in the global supply chain for various devices. These attacks are concerning because they reveal adversaries are prepared to undermine the security underpinning the entire supply chain for their purposes, whether it is manufactured/assembled components or via breaches of trusted vendor software channels. As most users of specific computer/device hardware trust the manufacturing company, this is a very difficult problem to address, particularly since it can remain undiscovered for a long period. In addition, this mode of attack suggests that overall improvements in computing security are forcing sophisticated attackers to "raise their game," because in general they choose the path of least resistance when attempting to infiltrate the systems of targets. For further reading on this topic, see: * [https://www.wired.com/2013/03/flame-windows-update-copycat/ Flame spy tool] * [https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/ Operation WilySupply] * [[Malware_and_Firmware_Trojans#Watering_Hole_Attacks|Watering Hole Attacks]] * [https://www.vice.com/en/article/d3y48v/what-is-a-supply-chain-attack What is a Supply Chain Attack?] == Processor Microcode Updates == One recent example of a firmware vulnerability is the processor microcode update for modern chips to address [https://security-tracker.debian.org/tracker/CVE-2018-3620 speculative] [https://security-tracker.debian.org/tracker/CVE-2018-3646 execution flaws]. The [https://www.debian.org/security/2018/dsa-4279 Debian package] is non-free software, therefore only available in the Debian nonfree repository, meaning it is not installed by default in {{project_name_short}}. Relevant Debian packages for processor microcode: [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/intel-microcode Intel] and [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/amd64-microcode amd64]. Installing these updates by default would require the Debian nonfree repository, and logically also make {{project_name_short}} images nonfree. {{project_name_short}} recommends to [[avoid nonfreedom software]] but in this case idealism would result in insecurity. It is unnecessary to apply these updates in standard {{project_name_short}} and [[Qubes|{{qubes_project_name}}]] guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD) ARM and POWER found to be as well affected, but less than what found in Intel and AMD. . See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739 === Microcode Package Check === In the following checks, the package is not installed if there is no output. To check whether the microcode package is installed. ==== Debian based ==== On the host. Run. {{CodeSelect|code= dpkg -l {{!}} grep microcode }} ==== Qubes ==== In dom0. Run. {{CodeSelect|code= dnf list {{!}} grep microcode }} The Qubes check should confirm the
microcode_ctl.x86_64
package is already installed. This package is installed by default in Qubes to automatically protect users against hardware threats.
=== Install Microcode Package ===
Installed by default in Kicksecure.
wiki editor todo: add tab controller for Kicksecure hosts vs Debian vs other operating systems
==== Intel ====
{{Install Package|package=
intel-microcode
}}
==== AMD ====
{{Install Package|package=
amd64-microcode
}}
=== spectre-meltdown-checker ===
It is possible to check if the system is vulnerable to the [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ Spectre] and [https://meltdownattack.com/ Meltdown] attacks, which use flaws in modern chip design to bypass system protections.
==== Installation ====
{{Install Package
|package_name=Spectre Meltdown Checker
|package=spectre-meltdown-checker
}}
==== Usage ====
{{CodeSelect|code=
sudo spectre-meltdown-checker --paranoid ; echo $?
}}
=== Forum Discussion ===
See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739
= See Also =
https://packages.debian.org/bookworm/fwupd
* [[Malware_and_Firmware_Trojans#Firmware_Trojans|Firmware Trojans]]
* [[Open-source Hardware]]
= References =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]