Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Back Door in Gigabyte Motherboards

Users of Gigabyte motherboards should urgently take note of a new vulnerability disclosed by Eclypsium researchers. The vulnerability, in the UEFI BIOS firmware of mtherboards from manufacturer Gigabyte, actually writes a Windows executable, GigabyteUpdateService.exe, to disk as part of the system boot process and sets registry entries to run it as a Windows service.

This process gets run by the Windows Session Manager Subsystem (smss.exe) when Windows starts, and in turn, it downloads and runs an executable payload from one of several Gigabyte servers. Most worryingly, the latter process is highly insecure, allowing a download over plain, unprotected HTTP - with no TLS - and also not performing any signature verification on the downloaded executables.

These two steps are both highly concerning; the first is very similar to the techniques used by other UEFI boot hacks like LoJack DoubleAgent and firmware implants such as Sednit LoJax, while the second is vulnerable to MitM attacks and other exploits. And now that this vulnerability has been disclosed, we can expect 0days to follow in short order. Gigabyte should really know better: their motherboards have previously been exploited by a Chinese-originated bootkit.

Affected users should check their UEFI BIOS setup and disable the "App Center Download & Install" feature and set a BIOS password to prevent malicious changes. They should also update their systems to the latest version firmware and software. Eclypsium's report also provides a list of URL's which can be blocked at the firewall, as well as a long - 3 pages! - list of affected motherboards.

Eclypsium, Supply Chain Risk from Gigabyte App Center Backdoor, blog post, 31 May 2023. Available online at https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/.

When Down-to-Earth Approaches to Security Aren't the Answer

Finally, a little light reading for your weekend - a cybersecurity issue that affects relatively few of us and perhaps as a result has escaped attention until now. In a recent paper presented at the spring 2023 IEEE Aerospace Conference, Johns Hopkins professor Gregory Falco drew attention to a blindingly obvious - with the benefit of hindsight - problem: the RFP  for the development of the next-generation space suits to be used in the upcoming Artemis missions had no requirements for assurance of cybersecurity.

In fact, security is often overlooked in the development of space hardware, firmware and software. Back in the days of the Mercury, Gemini and Apollo missions, development benefited from security by obscurity, since the systems were so specialized. However, since then, we have seen the entry of private operators who inevitably seek cost-effectiveness through the use of commercial-off-the-shelf (COTS) hardware and software. Furthermore, we have transitioned through the development of the Internet to an era of ubiquitous, always-connected, computing and now to commercial space tourism which could see personally-owned devices connected to spacecraft networks and systems.

An article in IEEE Spectrum canvases these issues and suggests some approaches to solutions.

Wells, Sarah,  Cybersecurity Gaps Could Put Astronauts at Grave Risk: Houston, we may have a malware problem, IEEE Spectrum., 1 June 2023. Available online at https://spectrum.ieee.org/cybersecurity-in-space.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.