Forgot your password?
typodupeerror
Security

Security Industry Incapable of Finding Firmware Attackers 94

Posted by Unknown Lamer
from the just-use-coreboot dept.
New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"
This discussion has been archived. No new comments can be posted.

Security Industry Incapable of Finding Firmware Attackers

Comments Filter:
  • Re:Least interest (Score:4, Interesting)

    by EdZ (755139) on Wednesday March 19, 2014 @11:47AM (#46525177)
    What you CAN do is exploit an otherwise secure OS so that you CAN do those things in spite of OS-level security methods.

    I miss the days of needing a move a jumper in order to flash the system ROM. I've seen plenty of gaudy 'overlocking' boards with push-buttons on the motherboard itself for various esoteric functions. A toggle-switch for BIOS-write-enable would be a relatively cheap addition, and manufacturers can market the board with some extra security buzzwords.
  • by jc42 (318812) on Wednesday March 19, 2014 @12:28PM (#46525493) Homepage Journal

    You know who reviews open source code seriously? Fucking nobody.

    Oh, I dunno 'bout dat. I recall a few years ago, getting an informative email from one of djb's folks, telling me how to exploit an open-source program that I was using in the software behind a web site that I was responsible for. I ran their test, dug into the code and fixed the problem (and several similar problems in other parts of the code), and sent them a nice letter thanking them for their help. I also forwarded their email and my patches to the author of the program, but I didn't hear back from him.

    This only fails to qualify as "seriously" if you dismiss all of academia as not serious. In reality, that's where you'll find most of the people who take security seriously. You don't much find them in "industry" (as the summary puts it), for management reasons that are well-understood by pretty much anyone who has ever tried to get security problems fixed in a corporate-management environment.

10.0 times 0.1 is hardly ever 1.0.

Working...