Public Firmware Vulnerability Examples

Public Malicious Firmware Examples

The main purpose of this list is to demonstrate (1) the poor state of firmware security, and (2) some of the things that are possible with control over the firmware in various parts of a computer system. I shouldn't have to say this, but do not run out and do this to somebody else's computer system. The purpose of this site is to educate defenders in an effort to raise the bar. Please feel free to share more examples! Note: often threads (e.g., on news.ycombinator.com) discussing this kind of thing typically fill up with other interesting links.

2018

Intel

AMD

• amdflaws.com (13 separate issues)
• AMD-PSP: fTPM Remote Code Execution via crafted EK certificate

2017

CVE-2017-5689 - Intel AMT authentication bypass

2016

(off-topic, since there's nothing malicious here, but this is pretty cool) Color TV Broadcasts using a WiFi radio

2014

Rafal Wojtczuk, Corey Kallenberg: Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer

Rudolf Marek: AMD x86 SMU firmware analysis

Thunderstrike

Intel chipsec (defcon talk) "Platform Security Assessment Framework"

UEFI Update Capsule Coalesce Vulnerability (& lots more from the same group)

Absolute CompuTrace Revisited - http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/

Hard drive firmware

• http://spritesmods.com/?art=hddhack
• http://recon.cx/2014/slides/Recon14_HDD.pdf

Intel ME - http://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf

NSA ANT catalog - http://en.wikipedia.org/wiki/NSA_ANT_catalog

2013

Malicious phone chargers installing malware into phones - http://arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus-chargers-get-a-dose-of-malware/

Printer firmware - http://ids.cs.columbia.edu/sites/default/files/ndss-2013.pdf

WiFi-enabled SD card - http://haxit.blogspot.ch/2013/08/hacking-transcend-wifi-sd-cards.html

WiFi router - http://shadow-file.blogspot.com/2013/10/complete-persistent-compromise-of.html

Web cam LED disabling

• http://www.cs.jhu.edu/~s/
• http://occs.cs.oberlin.edu/2013/09/iseeyou-disabling-the-macbook-webcam-indicator-led-rsvp-required/

Toyota’s ECU (unintended acceleration - it was not floor mats) (not actively malicious):

• http://www.eetimes.com/document.asp?doc_id=1319903&page_number=3
• http://www.eetimes.com/author.asp?section_id=36&doc_id=1319910&
• http://www.edn.com/design/automotive/4423428/2/Toyota-s-killer-firmware--Bad-design-and-its-consequences
• http://www.sddt.com/files/Bookout_v_Toyota_Barr_REDACTED_002.pdf

Baseband processors - http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone

Stuxnet - "To Kill a Centrifuge - A Technical Analysis of What Stuxnet’s Creators Tried to Achieve" - http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf

2012 or older

Invisible Things Labs TXT,SMM,VT, etc

• http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
• http://theinvisiblethings.blogspot.com/2011/12/exploring-new-lands-on-intel-cpus-sinit.html
• And more from them (Joanna Rutkowska, Rafal Wojtczuk, …)

Loic Duflot et al (SMM stuff, …)

• Can you still trust your network card? http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf
• SMM Reloaded - http://www.ssi.gouv.fr/IMG/pdf/Cansec_final.pdf

Arrigo Triulzi’s NIC+GPU ssh

• http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf
• http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf

K. Chen’s Apple keyboard

• http://www.blackhat.com/presentations/bh-usa-09/CHEN/BHUSA09-Chen-RevAppleFirm-SLIDES.pdf

Stuxnet Dossier - http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf