[Secure-testing-team] how to handle SMM attacks?
Michael S. Gilbert
michael.s.gilbert at gmail.com
Mon Aug 10 19:26:27 UTC 2009
On Mon, 10 Aug 2009 21:13:53 +0200, Florian Weimer wrote:
> * Michael S. Gilbert:
>
> > right, but debian now has almost all free software firmwares for those
> > devices, and hence those threats are mostly nullified, right?
>
> Only for firmware which is not that firm and lost if the power is
> gone. If the manufacturer hasn't got rid off flash to store the
> firmware, it's not particularly likely that Debian ships it.
>
> > i think one of the key problems is that SMM updates can be initiated
> > by the remote attacker without authentication; in fact this is
> > intentional to be able to track stolen laptops.
>
> Aren't you confusing two separate attacks? It's also quite unlikely
> that those devices phone home by default. Why should you provision
> resources to non-customers?
i'll admit that i honestly don't know much about SMM, but i would
imagine that it does phone home by default since its job is to track
stolen laptops, and it would need to phone somewhere to convey that
information.
again, i haven't really done enough research to fully understand the
attack, but it sounds like they can push updates to SMM (such as a key
logger) at will, without any interaction with the os.
mike
More information about the Secure-testing-team
mailing list