Super Lazy Security Advisory

7 views
Skip to first unread message

ad...@reviews.wox.org

unread,
Jul 11, 2024, 8:15:35 PM7/11/24
to 2600-au...@googlegroups.com

It seems all bios's, particularly those with draft/standard tpm and uefi, and some earlier acpi mainboards all have the same security problem, which appears to be deliberate since windows seems to use it on purpose.. 
(Tinfoil hat thought: Probably explains why Microsoft is pushing so hard for all windows 11 machines to require these, since they have always complied with backdoor feature requests from NSA/CIA/FBI)

Problem seems to exist in all AMD and Intel mainboards, with or without intelME and AMD's knock off of IntelMe.  Although certainly those with IntelME can do a lot more damage since they can be keyed to boot virtual disks/rootkits remotely, and in practice function somewhat like a hardware layer version of VNC server, with remote image mounting capability.  Machines are vulnerable regardless of OS, disk encryption, security measures or firewalls.   (although in most cases the user is the weakest point in social engineering a rootkit being installed with this capability)

Symptoms:
Machines turn on by themselves after being fully powered down by the OS, suspiciously these power up events often disable start up sounds and the like when being used for nefarious purposes.   The system will detect if the local user has noticed (such as shutting it down again or doing a hard power off) and enable the startup sound again for the next startup cycle to discourage suspicion.    Hibernated machines also generally wont trigger the startup sound as well when powering up by themselves.  (even if you don't use hibernation - "fast start" is in effect using hibernation, and dells have a "hybrid sleep" mode which is a hardware level hibernation capability attached to simple sleep mode) In general most windows machines will 'legitimately' attempt to turn themselves on at or after 3am, but the behaviour can occur at any time depending on clock and time zone settings, and seems to be prepared in advanced by the OS under the pretext of installing updates, so it will not happen EVERY night - more often at random.

In a nutshell:
These bios's can:
1: Be interfered with by the OS to trigger a startup event at defined time/date.   This event behaves like someone walked up and hit the power button, and wont show in your scheduled start bios configuration. Current versions of windows do this to circumvent defined bios power/startup/schedule behaviour settings in order to force it to turn the PC on (usually around 3am) to 'legitimately' install updates and likely to comply with patriot act provisions allowing rooting 'person of interest' computers.  Additionally these are vulnerable to uefi console level attacks which can add IntelMe like rootkits to machines without remote management hardware.

2: Additional capabilities are available if the mainboard is using on board network hardware, such as wake on lan, magic packet and the like - which will allow access to additional remote management features outside of the OS level.

How can these be exploited:
Using trojans or typical social engineering, apps can be installed which configure a computer to power itself up at a time it may be unattended, facilitating remote access to a remote rogue operator. Metrics/telemetry data make this even easier, as it will tell the rogue operator exactly what times the machine it turned off or idle.  Additionally once a machine has been compromised, it can be used to exploit wake-on-lan and IntelME style features installed on any other machine contained within the same network as the initial exploited machine - in effect granting access to every available computer in a LAN too.

Fixes:

  1. Use a 3rd party network card/device, instead of in-build ethernet, and disable all energy saver/wake on lan etc settings can reduce a given machines vulnerabilities to remote attack slightly,    for machines that have already been interfered with, disabling task scheduler, in particular tasks related to metrics, telemetry, customer experience, remediation/windows updates etc. As an exploit may rely on these to give legitimacy to the machine powering up, then run as a different nefarious task.
  2. Physically disconnect power from shut down machines when not in use, or they are unattended.
  3. Linux based machines can also install deliberate remote boot/management tools which take control of these functions, and prevent them from being configured by rogue actors for unauthorised use.

That's it.  It is an old problem, but worth reminding everyone.     

-- 
New and improved 2600... well..  ..we drew on some flames and polished it a bit..
--
Google - making sure, life is no more, than 1984...
--
Bill Gates: 640k is more than enough for anybody
PC guy down the road: You will never fill that 10mb Hard disk mate
Abbott/Turnbull: 25Mbps is "more than enough" for the average Australian household.
Turnbull: Actually 10MBs is enough for the average household really.
Abbott/Turnbull: It is cheaper to put in FTTN, you get up to 24mbs/down and 256k up..  we can upgrade it more later...
Reply all
Reply to author
Forward
0 new messages