Rob Byron - Fotolia
Hackers using software-based malware have long caused headaches for security admins, but fortunately these pesky issues are usually fixable.
The same, however, cannot always be said for hardware-based vulnerabilities. While often preventable, they can be irreversible.
Hardware-based attacks made the news lately, leaving enterprises worried. Few security teams know how to fix the issues -- if anything can be done at all.
x86 processors firmware vulnerability
At the Chaos Communication Congress last month, Czech programmer Rudolf Marek disclosed a vulnerability that could potentially allow remote code execution in Advanced Micro Device Inc.'s Systems Management Unit (SMU) firmware code, which is used in the vendor's x86 processors.
The issue, which affects its Trinity, Richland, Kaveri and Kabini series processors, occurs because the SMU code does not perform adequate checks before execution, allowing Randek to inject his own commands into the code.
Randek found the issue in December 2013 and reported it to AMD in April 2014. By November 2014, AMD fixed the SMU firmware, which is now available as part of AMD AGESA (AMD Generic Encapsulated Software Architecture).
The only way to mitigate the risk is to get the fix from the OEM hardware vendors using AMD's products.
"Ask your vendors for updated AGESA," Randek said at the conference. "This is the only way to force them to update it. The vendors are delivering the updates to you, not AMD."
Security requires physical control
Last week's SearchSecurity news roundup reported on another proof-of-concept exploit at the Chaos Communication Congress, dubbed "Thunderstruck." This flaw allows an attacker to gain complete control of a device containing a Thunderbolt port after just a few moments of physical access to it. Infected devices can then infect any other device with a Thunderbolt port that connects to it.
In a blog post published this week, Rich Mogull, analyst and CEO of Phoenix-based Securosis, explained that while not many users are at risk, this is an attack certain people should be aware of.
"I like this story as a good example of understanding risk," Mogull wrote. While the average user may not be at risk, executives and security pros do have the potential of being compromised should their hardware leave their physical control.
"I am writing it up as a warning of real risk, if you fall into the right bucket." Mogull said.
The keylogging USB charger
Sometimes, however, even physical control over a device is not enough to protect it.
Hacker Samy Kamkar on Monday released the software and hardware specifications on how to build a keylogger disguised as a USB charger. Dubbed "KeySweeper," the device functions as a USB wall charger and also "wirelessly and passively sniffs, decrypts, logs and reports back all keystrokes from any Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) in the area."
The device, which costs no more than $80 to make, feeds off the weak XOR encryption built into many Microsoft keyboards.
In a statement, Microsoft said customers using its Bluetooth-enabled keyboards are protected from this type of attack. "In addition," the company said, "users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advance Encryption Standard (AES) technology."
However, Kamkar said that he purchased the keyboard he attacked a few weeks before at a local store, casting doubt on Microsoft's assertion.
According to SlashGear, there is no immediate fix to the vulnerability besides Microsoft changing its proprietary signals, leaving users few options but to not use the wireless keyboard.
In other news
- Heartland Payment Systems Inc., which was involved in a 2008 breach that exposed nearly 130 million consumer credit card numbers, announced this week that it was offering the "industry's only credit/debit card information breach warranty" at no charge to its merchants for a year. The service will be available after that for a fee of $8.33 per month per card-entry device. Should the breach be caused be a failure or defect in Heartland software or hardware, the warranty will cover the merchant's fines, fees and assessments, as well as the cost of a forensic audit by a PCI-certified Qualified Incident Response Assessor.
- EMC Corp. has reduced the size of its workforce, including management layoffs, as part of an overhaul of its RSA security division, sources close to the company told CRN Tuesday. A partner said these changes will create "more of a streamlined management approach." When CRN reached out to RSA for comments, it responded, "Like all tech companies, RSA's operations constantly evolve to ensure optimal execution of our strategy. At times this impacts our organizational structure and employee base. Ultimately this flexibility is needed to enable us to capitalize on growth opportunities and better meet customer needs." While some believe the overhaul could involve an RSA spinoff from EMC, RSA Executive Chairman Art Coviello told reporters at a Boston event last week that RSA would remain part of EMC.
- The results of an experiment by writers at How-To Geek LLC published Sunday showed that downloading and installing 10 apps from the "most popular download" list on CNET's Download.com resulted in a rash of malware infections. While CNET clearly states that it does not allow malicious software on its site, and that it "tests all submitted software products according to comprehensive criteria," How-To Geek detailed how the apps it downloaded also came with browser hijacking programs, fake registry cleaners, viruses, spyware and other malware. The testers sought to highlight the dangers of freeware bundled with what it called "crapware."
Learn why information security is increasingly relying on computer hardware security.
Check out the latest on the rising cost of data breaches and how this proves infosec fundamentals are a hard lesson to learn.
Read the latest on application security and find out who won the 2014 Readers' Choice for application security products.