
ASUS delivers BIOS/UEFI auto-updates over HTTP with no verification - Kubuxu
http://teletext.zaibatsutel.net/post/145370716258/deadupdate-or-how-i-learned-to-stop-worrying-and
======
ryao
Poor security hygiene is by no means unique to Asus' motherboards' firmware
updates. You can find bad practices in all sorts of embedded systems' firmware
updates. Manual downloads of router firmware are an excellent example of this,
and that includes third party OSS firmware such as DD-WRT. The Obihai ATAs
will auto-update over HTTP although I have not checked if they do any sort of
code signing. I have seen OSS live media that is distributed without PGP
signatures, or even HTTPS+checksums. There are plenty of other examples out
there.

In the case of routers, things are beginning to change because the FCC is
requiring that manufacturers prevent users from modifying radio parameters to
their satisfaction and the easiest way to do that is to prevent users from
using OSS firware:

[http://hackaday.com/2016/02/26/fcc-locks-down-router-
firmwar...](http://hackaday.com/2016/02/26/fcc-locks-down-router-firmware/)

In the case of Linksys routers, the router firmware appears to also auto-
update and until recent firmware versions, it lacked verification. I do not
know if it auto-updates over HTTP. If it does, the ones running older firmware
would definitely be vulnerable to the same kind of attack as the Asus
motherboards.

I recently purchased a Linksys EA8500-RB to use as an access point and wanted
to flash OSS firmware that I built myself for a reasonable level of confidence
in its trustworthiness. It turned out that DD-WRT is the only third party
project that supports it at this time. There is no documentation on how to get
the precise sources used by the ddwrt developer to build the images he
distributes and those downloading them are vulnerable to MITM attacks from the
absence of HTTPS+checksums and/or PGP signatures:

[http://desipro.de/ddwrt/K3-AC-IPQ806X/](http://desipro.de/ddwrt/K3-AC-
IPQ806X/)

The DD-WRT project does have a subversion repository that could be used, but
anyone doing a checkout are vulnerable to a MITM attack due to the absence of
HTTPS. A mirror is available on github, although there have no assurance that
whatever is replicating the repository from subversion to git is not
vulnerable to a MITM attack. Furthermore, the build instructions for the image
are missing and while generic instructions exist, they are incomplete. They
also specify the use of a binary cross compiler toolchain, which similarly has
no obvious source code and no protection against MITM attacks.

I built my own toolchain with Gentoo's crossdev, but the incomplete
instructions require that I figure out how to use a custom toolchain, the dd-
wrt config parameters, the kernel config parameters, how to go from a build to
a factory to ddwrt image, etcetera. It is a huge pain, but it is one that I
must endure if I want to have an access point running OSS firmware that built
myself. Building it myself gives me a high level of assurance that the
binaries correspond to the source code and that the source code can be audited
by either myself or people in the community.

It really should not be that difficult to get trustworthy firmware and Asus'
goof is just the tip of the iceberg.

~~~
newman314
I've been trying to convince <Kong>, the owner/(brother of owner) of that
desire.de site (btw not the official repo) to implement HTTPS and caching
using Let's Encrypt and Cloudflare and not just rely on signed binaries but
he's insistent that his method of just signing the binaries is sufficient
secure.

Maybe if sufficient number of people pester him about it.

EDIT: On a related note, I've been trying to get the ddwrt guys to improve
their HTTPS setup (ciphers etc.) without much success. To me, testing with
testssl.sh and fixing the errors that pop up is easy and not that much work.

~~~
deno
Transferring signed packages over TLS only prevents the attacker from
observing which particular packages are being updated, and that’s assuming the
padding alone is sufficient to obscure identification by size.

Otherwise signing packages is actually preferred, because you can do it
offline, so that hacking the server is not enough to push malicious code.

~~~
kevinchen
But that assumes hardware vendors' signature verification code is correct --
and crypto is really hard to get right

~~~
pricechild
You don't need to verify it on the target system though?

~~~
matthewaveryusa
You sign at the source with a private key, and you verify on the target with
the public key. The trick is only someone with the private key can create a
signature that the public key can verify.

~~~
bigiain
The other problem is many people wont have pre-existing copies of the required
private key available. If your attacker is in a position to MitM your download
of a signed binary, they're probably also in a position to MitM your retrieval
of the public key. SSL/TLS certainly helps there (at least the attacker then
also needs to be capable of acquiring root CA signed TLS certs for the
download site and any readily available PGP key sites. It wont slow the NSA
down much - but it will help against the guy with the WiFi Pineapple in your
local Starbucks…)

~~~
merijnv
> The other problem is many people wont have pre-existing copies of the
> required private key available.

We're talking about software updates, you embed the key INSIDE the software to
avoid this problem.

~~~
bigiain
Ahhh, good catch... Agreed.

(Though with my overly-cynical hat on, I now just suspect you've only moved
the problem to the previous update's authentication - and recursively back to
the initial download. How do you protect against the initial download being
MitMed and having an attacker's public key inserted - this is functionally the
same as HSTS - if you can MitM the first visit you win...)

~~~
deno
You need to trust something at some point, be it TLS session and the server
you’re talking with, or an SHA csum you verify with a friend (or using PGP’s
WoT), and even further the process(es) and person(s) responsible for actually
signing the releases.

As for “moving the problem,” it _is_ worth it. Because it’s easier to verify
the origin of the software once, then for every update. If there’s a new
vulnerability in TLS this will only affect new installations. Verifying (&
signing) packages offline is much more anti-fragile.

------
daxorid
Very nice find. What are the business unit motivations behind critical
suppliers like ASUS repeatedly violating customer trust in this manner? At
what point in the management chain is the decision reached to sacrifice
reputation for - whatever cost savings there are from not implementing
TLS/blob signing?

edit: This is not rhetorical. Actually curious if someone on HN familiar with
this class of companies (ASUS is not unique among OEMs) can educate.

~~~
brudgers
It's hard to make a case for long term support of commodity hardware sold into
the consumer market because the most shiny things at the lowest first tends to
drive purchases. It's as true for laptops as it is for Android phones.

BestBuy doesn't care if it stocks ASUS or not. It cares about sales and
margins. If there's an extra dollar putting Gateway on the shelf instead of
ASUS they will. And their customers won't care. "BIOS updates with TLS!"
stickers aren't going to improve sales.

Buying a laptop creates a consumer not a customer relationship. I want to pay
the least, the manufacturer wants to deliver the least. A few years out,
shiny-low-cost will drive my next purchase more than brand loyalty.

~~~
homero
True but it creates business for ThinkPad and I'm loyal to them. They fupped
too though

~~~
johannes1234321
You mean the Lenovo thinkpads which come with tons of malware like superfish
and different insecure plain http update mechanisms?

~~~
kuschku
Actually, the ThinkPads never came with that, only IdeaPads, etc.

That’s the advantage of using the business line of products: it’s usually not
as fucked up.

------
ikeboy
[https://duo.com/blog/out-of-box-exploitation-a-security-
anal...](https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-
oem-updaters)

[https://duo.com/assets/pdf/out-of-box-exploitation_oem-
updat...](https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf)

page 15 discusses ASUS.

------
grawlinson
Wow. I always knew hardware manufacturers half-assed their software, but this
is kind of a new low.

I'm not sure whether to laugh or cry.

~~~
qb45
Could be worse, the title made me imagine UEFI firmware itself making HTTP
downloads and reflashing itself ;)

~~~
egeozcan
I thought that too and then got terrified of the idea that someone trusting an
HTTP connection writing (parts of) a damn BIOS. This would be worse than
anything.

Actually I also don't like BIOS allowing to be flashed from within the OS for
convenience. So your computer gets owned and you can't trust your motherboard
anymore.

~~~
Kubuxu
I hate this idea as it usually means that you have to run Windows to upgrade
BIOS...

~~~
grawlinson
You require Windows regardless. I have an old HP dm1z that's started playing
up with a recent Linux release.

Solution? New BIOS firmware. Problem? Can only update via Windows binary.

I wish I was joking, but quite a few HP laptops can only be updated via
Windows binaries...

~~~
qb45
Solution: buy computers with "generic" motherboards, not OEM boxes.

I have had like 5 different motherboards in the last 10 years and all could be
updated from a flash drive with the BIOS setup.

And yes, this required user action, they didn't just automatically flash
random files from pendrives present during POST ;)

------
userbinator
I don't remember the brand(s) exactly --- don't think it was ASUS however ---
but I do remember a few years ago of laptops which would automatically and
silently download and install BIOS updates, and inevitably some of them would
fail, leading to bricked machines.

IMHO the BIOS is not something that should ever change unless there's a _very_
important reason to, and even then it should be on the explicit action and
consent of the user, because of the risks of ending up with a completely non-
working machine. UEFI is a whole new mess, but I think the same principle
applies.

~~~
sgeisenh
ASUS has a tendency to have very important reasons to update the BIOS. The
last few Intel chipsets, they've had serious BIOS issues at launch that can
cause tremendous headaches (random freezes, blue screen, etc.).

~~~
qb45
In fact, the last few Intel _CPU_ generations had issues at launch which had
to be resolved with BIOS workarounds.

------
mtgx
Didn't Duo Security already expose this?

[https://duo.com/assets/pdf/out-of-box-exploitation_oem-
updat...](https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf)

~~~
Redoubts
> Asus appears to be one of the worst OEMs we looked at, providing attackers
> with functionality that can only be referred to as remote code execution as
> a service.

Ouch.

------
franciscop
This means I can basically go to a Starbucks and pwn the Asus there, right?

I have an Asus now but installed Ubuntu first thing when I got it. If I
couldn't use Ubuntu I'd use Mac. I see the problem has two sides, Windows for
allowing for malware preinstalled and OEM for installing it.

~~~
qb45
Things wouldn't be much different if they shipped Ubuntu preinstalled.

~~~
Retr0spectrum
How so? It's not my distro of choice, but I'm pretty sure there aren't any
known remote root code execution exploits.

~~~
Kubuxu
If they wrote and installed remote execution exploit on the Windows they would
do the same if they shipped with Ubuntu.

~~~
ams6110
Which is a good reason to _always_ do a fresh OS reinstall before you even
boot the system for the first time. That's what I've done the past couple of
times I've bought a new PC. the _very first_ boot is off a USB drive to do a
clean OS install. Completely wipe the existing disk partitions too.

~~~
franciscop
I couldn't do this, I had to boot windows once to disable UEFI first. Didn't
set up the wifi though.

~~~
ams6110
Isn't that just a BIOS setting? Addmitedly I've not dealty with UEFI much.

~~~
franciscop
Well I just found an even faster guide than what I did back in the day. Still,
cannot boot into the BIOS until starting/shutting down Windows:

> Windows 10 keeps the [Fast Startup] feature as Windows 8. (For more
> information, please refer to Windows 8-Introduction of [Fast Startup])

> Due to the reason, you CANNOT press F2 to enter BIOS configuration when
> booting the system.

Source:
[https://www.asus.com/support/faq/1013015/](https://www.asus.com/support/faq/1013015/)

------
fauigerzigerk
Astonishing. Is there any PC maker left that hasn't been found to be grossly
negligent or actively malicious?

~~~
fallenshell
Purism and Apple

~~~
Nullabillity
> Apple

"or actively malicious."

~~~
TazeTSchnitzel
How are Apple actively malicious?

~~~
Nullabillity
Let's see here:

* Started the trend of non-replaceable batteries in phones

* Started the trend of non-replaceable batteries in laptops

* Started the trend of locked-down devices where the owner can't decide what software to run

* Custom screws in order to prevent people from fixing their devices

* Custom enclosures in order to prevent people from replacing parts in their devices with commodity devices

* Soldering in stuff that doesn't need to be

And so on, and so forth. It'd be easier to come up with a list of _good_
decisions they've made. In fact, for the sake of balance, here you go:

~~~
prashnts
Right. These can also be interpret as their reason to make slimmer devices.
People buying these products would presumably know what they're getting into.

~~~
xiaoma
How does needlessly soldering ram in make a device slimmer?

~~~
TazeTSchnitzel
Replaceable RAM modules take up more space.

------
brudgers
It's probably not just ASUS.

 _How the Top Five PC Makers Open Your Laptop to Hackers_ :
[https://www.wired.com/2016/05/2036876/](https://www.wired.com/2016/05/2036876/)

------
45h34jh53k4j
Routine updating of Administrator privileged binaries over HTTP is endemic
especially by OEMs, and yes, ASUS should know better.

I hope this incident will push them towards https for all their http
offerings. There really is no excuse anymore, its can be gratis and automated.

------
tonmoy
The irony is that my system would be more secure without ASUS' attempts on
updates.

------
Someone
I fear that, as a bonus, there is a race condition where a local attacker can
replace any update with its own 'update' between download and installation.

Worst-case, they might have implemented this like this:

    
    
       DownloadNewUpdatesIntoUpdateDirectory();
       ProcessWhateverYouFindInTheUpdateDirectory();
    

If that's the case, you would only need to copy a payload to that directory.

~~~
ikeboy
A local attacker can mitm anyway, no?

~~~
gruez
Not without administrator permissions

~~~
kogepathic
Local to the network. No administrator permissions required, you just have to
use your computer in a public place or have a hostile actor on the network
(e.g. hotel, cafe)

------
philliphaydon
Damn ASUS that's a real shame, because that Royal Blue Zenbook 3 is god damn
sexy

[https://www.asus.com/Notebooks/ASUS-
ZenBook-3-UX390UA/](https://www.asus.com/Notebooks/ASUS-ZenBook-3-UX390UA/)

~~~
Bromskloss
Doesn't it affect only those who run Windows with this ASUS LiveUpdate thing
installed?

But perhaps you meant that you must now, as a protest, shun ASUS products. I
can sympathise with that.

~~~
philliphaydon
My reason for not buying one is because the screen res is small :(

I usually reformat them on arrival anyway.

~~~
Bromskloss
Is the screen matte or glossy?

------
uudecode
LiveUpdate runs on any OS the purchaser might install, or just Windows?

I have never had to perform a BIOS update with any off the shelf computer from
ASUS.

I have looked at the BIOS updates on offer. I cannot recall that they were
always hosted on a server using HTTPS. Or that MD5 signatures were provided.

But my understanding was that only users that knew what they were doing
applied BIOS updates after purchase.

Is flashing the BIOS really common with ordinary users?

It's a major change and not something I would want to be done automatically by
a third party.

This auto-updating craze is becoming a bit farcical.

Running programs that let third parties open ports, and run downloaded
executables.

But the concern is whether someone can MITM or tamper with the download?

~~~
Nullabillity
Only Windows, and only if you use the ASUS-provided image or manually install
it from their website.

------
ArchD
If "unauthorized access" to computer systems without actual damage to said
systems were not outlawed, there might be people who would make harmless
exploits against such irresponsible vendors and publicly shame them (in the
eyes of the general non-techy public) into action.

Alas, it's illegal to "exploit" but not illegal for system vendors to enable
exploits through negligence. Thus, because of how the law is written, vendors
have little incentive to care about security and well-meaning white hats are
disincentivized from demonstrating the vendors' irresponsibility.

------
graffitici
Out of curiosity, how would an attacker exploit this to run a code s/he wants?

Try to direct the DNS requests to their own server instead of the LiveUpdate
one? If so, how?

Also, would we be a better design? Hard-code IP addresses to prevent the DNS
trick? Use HTTPS and hardcode the public key of the server on every machine?

(Only asking out of curiosity, clearly.. Seems like a good case study for
designing things right.)

~~~
morsch
Redirecting DNS is one way; if the attacker can MITM the connection -- e.g.
they control the wireless AP, or the router, or the ISP -- they can also just
replace the server response with a modified image.

Hardcoding the IP is not a good idea and it doesn't work against MITMing.
HTTPS with certificate pinning would be the standard way to secure the
connection. Verifying the BIOS image using a certificate before installing it
is also "a good idea" (ie. pretty much mandatory), that way users can provide
a binary downloaded on another computer.

------
nxzero
Even if the "last mile" is secure, unless the whole process is secure, doesn't
matter if the download is secure; case in point, find a oss project that
documents their build process to see if security is baked in; hint, of often
it is not.

------
shirro
The first thing I did when I got my ASUS UX303UA was re-partition and install
Arch Linux. Works flawlessly and I avoid issues with this sort of half baked
bloatware. I haven't done any BIOS updates because ASUS doesn't publish
detailed changelogs and I don't know if they are required or might cause
problems. Excellent hardware company that probably should just stick to
hardware.

Just an aside, but I have been out of the loop for awhile with Windows but I
couldn't believe how ugly Windows 10 looked when I booted it. I currently
float between Mac, ChromeOS and Gnome and my favourite at the moment is still
the material design look. Windows seems to be getting uglier. It is a shame
because, although different, I am not sure it is functionally all that much
worse these days.

------
foggarty9
"HTTP MITM to SYSTEM EXECUTION" ... "\+ more"

i mean, what else is there?

------
raverbashing
Edit: below is irrelevant, I RTFA and it's even worse than I thought

Would it be possible that UEFI does that check (against a built-in signature)
instead of relying on HTTPS?

------
whyagaindavid
While agree this BIOS update situation is poor, is there any proof a large
number of 'common users' are affected by MITM attacks? The average Joe is not
doing harbouring any state-secret. This is similar to 'stage-fright'? Please
give numbers who got affected? On the other hand, I find people are very
relaxed enabling remote desktop or teamviewer (as it promises them to access
their file anywhere) and using the same password.

------
goombastic
I need a good home firewall device with community based filters now.

------
jokoon
That's so dangerous that it can't be a mistake.

------
daveheq
But no problems have happened and if there are problems the market will work
it out, people will just stop buying Asus, no need to have laws for network
security!

------
bitmadness
Any suggestions for secure mobos?

------
joliya65
You may want to do something about the formatting of the XML messages, they
seem to be truncated at the moment.

------
hackney
Look no further than their moniker, Asus ROG (republic of gamers).

------
carwyn
At least one model of ASUS iKVM (server remote management daughter-board) I've
seen has an embedded linux OS that doesn't allow changing of the admin
password from the default. Doesn't use shadow passwd files either.

