A well-meaning feature leaves millions of Dell PCs vulnerable
Firmware security tool flaws affect as many as 30m desktops, laptops, and tablets.
Researchers have known for years about security issues with the foundational computer code known as firmware. It's often riddled with vulnerabilities, it's difficult to update with patches, and it's increasingly the target of real-world attacks. Now a well-intentioned mechanism to easily update the firmware of Dell computers is itself vulnerable as the result of four rudimentary bugs. And these vulnerabilities could be exploited to gain full access to target devices.
The new findings from researchers at the security firm Eclypsium affect 128 recent models of Dell computers, including desktops, laptops, and tablets. The researchers estimate that the vulnerabilities expose 30 million devices in total, and the exploits even work in models that incorporate Microsoft's Secured-core PC protections—a system specifically built to reduce firmware vulnerability.
Dell is releasing patches for the flaws today.
The vulnerabilities show up in a Dell feature called BIOSConnect, which allows users to easily, and even automatically, download firmware updates. BIOSConnect is part of a broader Dell update and remote operating system management feature called SupportAssist, which has had its own share of potentially problematic vulnerabilities. Update mechanisms are valuable targets for attackers, because they can be tainted to distribute malware. . .
The Eclypsium researchers caution, though, that this is one update you may not want to download automatically. Since BIOSConnect itself is the vulnerable mechanism, the safest way to get the updates is to navigate to Dell's Drivers and Downloads website and manually download and install the updates from there. For the average user, though, the best approach is to simply update your Dell however you can, as quickly as possible.
“We’re seeing these bugs that are relatively simple like logic flaws show up in the new space of firmware security,” Eclypsium's Michael says. “You’re trusting that this house has been built in a secure way, but it’s actually sitting on a sandy foundation."
After running through a number of nightmare attack scenarios from firmware insecurity, Michael takes a breath. “Sorry,” he says. "I can rant about this a lot.”
This story originally appeared on wired.com.
=========================================================================
NFC flaws let researchers hack an ATM by waving a phone
Flaws in card-reader technology can wreak havoc with point-of-sale systems and more.
"For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now, one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.
Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader—rather than swipe or insert it—to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.
"You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM—like cash out, just by tapping your phone."
III
No comments:
Post a Comment