Discussion in 'Article Discussion' started by bit-tech, 14 Mar 2018.
I don't think anyone seriously believes the method and language of disclosure was intended as anything other than an AMD smear (or if they do; I've got this bridge you may be interested in buying...) but from reports in Ars and Anandtech the supposed exploits have been verified as viable by more reputable third parties. While requiring root somewhat limits the usefulness of these attacks, they are still extremely dangerous to anyone who possesses a zero-day root explot to a host OS or has physical access to the device (e.g. during transport), or even just an unpatched system. The problem is that once you have backdoored the Secure Environment or the PCH, you own the system without even an unexploited OS being aware of it.
i.e. if you're worried about a cryptolocket-like messing with your files these aren;t much of a concern, but if you're worried about APTs this is some seriously bad juju.
I mean if you've already got root then unless it's going to physically brick my hardware I don't really care. It's such a sketchy situation. Most malware uses an SE elevation anyway. Stuff like Zeus didn't even need admin if I remember correctly.
Further to that - Doesn't all of this more or less revolve around Flashing exploited firmware onto the Hardware? So you have to edit and Digitally Sign Bios Files in order to get your malicious code in, Plus Digitally signed drivers by the Motherboard Vendor and other bits?
If you are going to those extents to Own a machine; you're after a single dedicated target, and if you're already managing to spoof/override digital signing; there's no reason this exact same attack wouldn't work on any other machine that uses Digitally Signed Bios, AMD, Intel or otherwise.
I think Linus Torvalds' response was the best; "Turns out if you replace Bios or Microcode with Evil versions; you might have a security issue"
So what happens if this turns out, as is likely IMO, to be nothing more than BS intended to gain financial.
Can AMD sue, would some market authority get involved, will there be any repercussions.
That's the idea, the claimed exploit is that that protection can be bypassed (and the attacks against the SE are specifically ones that do NOT require BIOS flashing).
Let's use the house analogy:
A Root Exploit is where it turns out your front door lock is made of cheese and anyone who pokes it with a stick can gain entry. Once inside, they can rummage through your stuff (e.g. a RAT), or just break things (e.g. Cryptolocker), but it's obvious once you actually look that they are there and have done bad stuff.
These exploits are like somebody breaking in, and then hiding themselves inside your walls. You can't see them or know they were ever there, you can replace all your locks without effect, but they still have undetectable access to everything.
Unlikely that they could get anything worthwhile from what appears to be a two man limited company founded in Isreal less than a year ago.
Even if they could prove some kind of foul play recovering any kind of damages from across the Atlantic would be nigh impossible and the company could simply fold. At best they could get a written admission of guilt, which would be pretty much moot as well if they already fixed or disproved the vulnerabilities.
The company in question has released real threats so while it's a scummy move designed to allow them to short sell AMD stock and make money I'm guessing it's probably not illegal as they've got real exploits. Hence they make their money and move onto their next target.
As for the exploits, they don't seem easy to use (most need bios access) but that doesn't mean AMD won't have to fix them. An obvious way of using them is to intercept a new machine, put your exploit into the trusted execution engine and let it continue on it's way. Unless the company is flashing every bios it gets (and most don't) then you've got your compromised machine inside the company firewall, undetectable by any software, and from their you can attack other machines, and so on...
Some of the exploits are actually more insidious than that: the SE attack is per-CPU rather than per-motherboard, so flashing the BIOS will not evict the exploit.
Same flaw also works against Intel chips soooo.....
So do these
SO DOES A HAMMER.
Hooray for hammers!
haha "Can I just get access to your PC with this VERY LARGE HAMMER?"
Anything can be achieved with the correct application of the correct hammer...
While that wouldn't be a particularly sophisticated attack vector it does come very close to the truth how most successful attacks are pulled off, the meatsack at the keyboard allowing access either due to ignorance or being talked into it is the single biggest IT security issue.
Cant patch the end user. Unfortunately
I'll see if the same method works when I next get a bug report. "Sorry boss. User's PC was smashed by a balaclava wearing doge wielding a hammer. No idea what happened" *Ticket closed
Separate names with a comma.