UEFIs booting Windows and Linux devices can be hacked by malicious logo images

[gadget42]

UEFIs booting Windows and Linux devices can be hacked by malicious logo images - ArsTechnica - Dan Goodin - Dec 6, 2023

https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

reminded of:

https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls/

[CardealRusso]

...they are able to bypass a host of defenses, including the industry-wide Secure Boot...

Heh, it wasn't secure after all.

Or maybe secure in the same sense as "unlimited" in website hosting/network bandwidht. Secure like condoms and so on. Pure marketing ploy to get the standard adopted.

[nick65go]

We can never have "security" if the start point is an UEFI implementation by vendors/manufactory in firmware as close-source (IP - Intellectual bul*shit Property). This "security by obscurity" is named obfuscation for lazy intruders. With proper skills & tools & determination anything can be cracked.

It is an illusion to have a secure chain (top to end) if ANY chain-component is close-source (UEFI firmware, kernel drivers blobs, etc).
Or if hardware (CPU/GPU, ROM etc) has hidden modules. We can not build a castle on the sand (or a house on other people land).

EDIT: the weakest link in the chain is... the human. Even with the most hard-to-break cryptography in hardware, the intruder needs just to torture/blackmail the human to get access (Guantanamo style). Right, so about what level of security we talk here? hm...

[gadget42]

million-dollar security and a five dollar wrench
https://xkcd.com/538/

[CentralWare]

LMAO...  well, I didn't dig into the topic and research how/where/why someone found this out (or what 12 year old came up with the concept in the first place) BUT...

• Viri, Trojans, etc. don't just show up out of thin air; they're downloaded (internet) or injected (cd/usb/etc) WITH some level of interaction and permission
• Windows' logo has been known (at very least) since Win98 when the Admin Deployment Kit was still in diapers - back when it was Fun to Win™
• Linux logo (assuming Boot/Kernel) yeah, I can kinda' see potential...  but still falls into category #1 above...  it doesn't just "happen" and that's a lot of work.

IMO - if you want to "infect" a linux based machine, you need only get access to the package manager's repo list; the rest is sheer imagination.  (apt, yum, even tce...  replace the repo with your own copy and what people download/install is in your hands!)

If you truly want to cause havoc in the Winderz World, break the NIC/WIFI driver connection or just IPv4; it's now (Win11) virtually mandated to log in using cloud authentication (Hotmail/Outlook) and now they EMAIL you a link if you can't get in...  which you can't do if there's no network.  (Out of the last 1,000 PCs that sold to the average Joe, how many of those folks do you think have a recovery USB stick?)

[CentralWare]

We can never have "security" if the start point is an UEFI implementation by vendors/manufactory in firmware as close-source (IP - Intellectual bul*shit Property). This "security by obscurity" is named obfuscation for lazy intruders. With proper skills & tools & determination anything can be cracked.

Very true.

The only "real" security I could see any time in the foreseeable future would be a sandbox based EVERYTHING (ie: every app was jailed to its own environment and unable to communicate directly with hardware and the operating system nothing more than a container of jails.)  This would pose challenges with libraries and the likes; but someone would figure out a way to share "securely" eventually.

[nick65go]

wow, "nothing more than a container of jails"
it was also my idea, but.. we still need to boot-strap this borg-alien from a firmware (1) and an OS (2).
- firmware is almost closed-source (maybe except core-boot) + is based on close-source CPU/GPU/APU devices...
- OS (even Linux) could have kernel drivers with blobs/firmware + we need to compile it ourself! (with a gcc/clang built by ourself -- do not trust the trusty)
- and then we get out in the world using middle the man IPS (internet server provider)+ back-bone (link-cells) exposed to tampering. Oh, boy!

My expensive solution (for now) is to use a dedicated device (PC/laptop etc) with NO private document on it. If it crash, if it is hacked / spied, ransomed whatever, then.. so be it! It is like we pay for the food, because we enjoy it; so we pay for the paranoic security because we care (are we?).

[gadget42]

...
(Out of the last 1,000 PCs that sold to the average Joe, how many of those folks do you think have a recovery USB stick?)

recently assisted an acquaintance with their _Windows-7_laptop_ and the FIRST operation we performed was "create recovery disks set"

and, yes it's over ten years old and yes, win7 is EOL but having the ability to reinstall the original OS on a fast new ssd gave us the ability to do this:

https://arstechnica.com/gadgets/2022/08/how-to-upgrade-to-windows-11-whether-your-pc-is-supported-or-not/

...
Also, unofficially, I've had some success using old Windows 7 and Windows 8 product keys to activate equivalent editions of Windows 11. It's an open secret that the Windows 10 installer would continue to accept these older product keys long after the "official" free Windows 10 upgrade offer expired in 2016, and at least in our testing, those keys have continued to work for Windows 11.
...

caveat: as always, your mileage may vary.

[nick65go]

https://arstechnica.com/security/2024/02/critical-vulnerability-affecting-most-linux-distros-allows-for-bootkits/

"Resistance is futile" is the world of close-source [firmware/CPU/intellectual property"/etc.].