In recent years, we have been witnessing a steady increase in security vulnerabilities in firmware. Nearly all of these issues require local (often privileged) or physical access to exploit. In this talk, we will present novel *remote* attacks on system firmware.
In this talk, we will show different remote attack vectors into system firmware, including networking, updates over the Internet, and error reporting. We will also be demonstrating and remotely exploiting vulnerabilities in different UEFI firmware implementations which can lead to installing persistent implants remotely at scale. The proof-of-concept exploit is less than 800 bytes.
How can we defend against such firmware attacks? We will analyze the remotely exploitable UEFI and BMC attack surface of modern systems, explain specific mitigations for the discussed vulnerabilities, and provide recommendations to detect such attacks and discover compromised systems.
Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented multiple times at DEF CON, PacSec, Hackito Ergo Sum, and BSides Portland.
Eclypsium CTO and Founder Alex Bazhaniuk has been performing security research and product security for a number of years at Intel Corporation. Alex presented his research at well-known security conferences such as Black Hat, DEF CON, CanSecWest, Recon, Troopers, Ekoparty, Toorcon, Hackito, HITB, OPCDE, Syscan360. Also he teaches popular trainings in firmware security. Previously, Alex co-founded the first DEF CON group in Ukraine. Also he is the co-author of open source CHIPSEC framework.
Mickey Shkatov, a principal researcher at Eclypsium, has been performing security research and product security validation since 2010, He has also presented multiple times at DEF CON and Black Hat, PacSec, CanSecWest, BruCon, Hackito Ergo Sum, and BSides Portland.