The funny thing is that this is effectively a keylogger that does not run any code on the CPU while it is running.
I already knew it, but this just reinforced how terribly vulnerable pretty much every computer system is. Makes me think ransomware/hacks are going to get a lot worse, and I can’t see how the situation can be improved, at least for quite some time.
For some reason, I can't interpret your comment in any other way than security-paranoia FUD that's advocating for completely-locked-down user-hostile computers (or maybe I should say "devices"...) under the total control of Big Tech, because that's the narrative they've been using more and more to justify it.
That's rather cynical, but to clarify, my comment is rooted in the understanding (illustrated by OP in some excellent examples) that all of our digital infrastructure, from browsers down to silicon, are born from tight engineering schedules, "ship it" mentality, a focus on "ROI", and not necessarily security. Even if there were more focus on security, OPs article is fantastic at showing a sliver of this complexity, and the daunting task it is to understand the inter-relationship and consequences of many individual design choices, across a litany of components and libraries, over many decades and teams.
As a first step, I'd like to see some tough laws that hold companies liable for data leaks. Once it becomes a major liability to be the source of a data leak, most companies won't bother collecting PII, and will make it a point to ensure it's not stored on their systems. Nonetheless, systems will always have vulnerabilities and be exploited. This is at least worrisome from many, if not terrifying, and that should not be automatically interpreted as "security-paranoia FUD".
Someone would have to load this firmware onto your devices, either with local physical access or remote root access to your system. Are you suggesting it should be impossible for anyone to modify the firmware on their peripherals/NICs/etc, or else the world will end or similar? Is it only safe to allow us iPads?
I'm pointing out my conclusion: nothing is safe... yikes!
And no, I'm not worried that because of this article anyone can keylog my stuff. It's the realization from OPs summary that there are many attack vectors, and vulnerabilities hiding in and between layers and components. iPads are no different in that respect.
Seriously, how do we get passed the current state of zero-days and major vulnerabilities cropping up on the reg?
Some ideas from other commenters here aren't entirely convincing to me: require open source, require software standards (both of which would need to apply to hardware/silicon as well). I'm honestly looking for some thoughts on how to build a more secure digital future (Links to articles or studies are welcome).
But really, I think some perspective is needed on what is "safe". Is riding in a car "safe"? Is eating food from the supermarket "safe"? Can you ABSOLUTELY GUARANTEE that it's IMPOSSIBLE to screw it up? How did my parents survive for 60 years under these UNSAFE conditions?
I think electronic devices can be pretty damn safe, even without totally locked-down firmware and secure-boot. They can be flashed with low-level firmware at the hardware level (SPI or JTAG or similar), then boot trusted install media, wipe the mass storage and install fresh.
Then, keep it minimal, keep it under control. Don't install and use 20k components/libraries which you are not familiar with and of which hundreds want to update every other day. At least, be familiar with all the processes and daemons running. Either you should know why they're there, or they should not be there. You don't need a firewall if no process is listening for connections (and if you need a firewall to block it, why are you running it ?!) Just run less junk.
Programs are riddled with mistakes. Just because you can point a finger and say zero-day, doesn't mean that there's a single solution to this problem. Nothing _is_ safe; life is inherently unsafe.
Just make companies liable for any damage caused by their crappy products. Make them pay billions in damages every time somebody gets hacked because of their negligence. Then they'll start caring about the quality of their software instead of treating it as a cost center.
The implication that software providers should be liable seems to reappear eternally here and remains misguided. Even when we're essentially discussing hardware here.
Software is the perhaps that area where "good" or "crappy" is most undetermined. A given piece of software can be bullet-proof today and a catastrophic hole can appear tomorrow. And even if the producer releases an update, there's no guarantee it will be picked-up.
Overall situation is that what's needed is standards of software use for those companies which actually do damage. Without standards, your use of "crappy" is meaningless.
> A given piece of software can be bullet-proof today and a catastrophic hole can appear tomorrow.
Sometimes you do everything you can and things still go wrong. That's okay.
What happens in practice is totally different though. Gross negligence is endemic in the technology industry. Most companies out there simply don't give a shit. Their negligence is deliberate, calculated and pre-meditated. They know exactly how much damage they're causing and they don't care because caring costs money.
> Without standards, your use of "crappy" is meaningless.
It's not meaningless at all. For example, nearly every laptop manufacturer I've ever seen has delivered to me software that is unambiguously bad. This opinion is not controversial at all. You just need to fire up some manufacturer app to see just how incredibly bad they are.
I've posted about that here many times and people explained to me that the software is garbage because hardware companies literally don't care about it. They see it as just additional costs to be eliminated and as a result we get products which are total crap. My laptop came with a driver that intercepts my keystrokes and sends signals to the keyboard so that it can light up the LEDs under the keys I pressed. What caused an insane design like this to even come into existence is beyond me, no doubt it came down to saving a few cents in manufacturing. I replaced this functionality with free software and I'm not sure if I even want to know whether there are any vulnerabilities in that driver.
>My laptop came with a driver that intercepts my keystrokes and sends signals to the keyboard so that it can light up the LEDs under the keys I pressed. What caused an insane design like this to even come into existence is beyond me, no doubt it came down to saving a few cents in manufacturing. I replaced this functionality with free software and I'm not sure if I even want to know whether there are any vulnerabilities in that driver.
This is how malpractice qorks in every other injury. It isn't just about damage being caused by the software, but if there was a violation of the reasonble standard of care
> A given piece of software can be bullet-proof today and a catastrophic hole can appear tomorrow.
Only because you didn't notice the catastrophic hole today, and that's true of everything. When a building collapses the construction company/architects can't really get out of that by going "well it was perfectly fine yesterday, it's hardly our fault!", I don't see why we'd accept that attitude from software engineers.
The state space of a complex piece of software is vastly larger than that of a building, and the desirable states within that space are not continuous, while a building's desirable state space is pretty smooth. It's like the difference between walking along the knife edge of a fractal vs. standing on top of a mostly smooth hill.
Because of that, software simply can't be treated the same as other engineering disciplines, at least not yet.
> The state space of a complex piece of software is vastly larger than that of a building
Is it? Unless we can accurately simulate reality at the atom level and bruteforce building designs against every possible scenario to make sure it doesn't fail catastrophically, it's still all down to prior knowledge/experience, reasonable assumptions, approximations and measurements, just like in software. If anything, software is easier, as with enough efforts (formal methods, etc) you can get to prove the correctness of your software, but you can't really do so with a building.
A large chunk of software vulnerabilities is either due to outright incompetence, legitimate mistakes or cost-cutting. The example of an insecure, black-box backdoorable EC like in this article would have a "building" equivalent of using rebar or concrete of unknown specs and origin and then wondering why the construction collapsed.
Thankfully the liabilities associated with civil engineering means we mostly don't use unknown materials of shady origin and there are multiple layers of review to catch any oversights. The same can be applied to software, and while you're never going to get 100% in either domain, if software was as reliable as buildings (as in you can count the number of major collapses/bugs on one hand in the past few years) it would be a major improvement.
Disagree. First of all, the level of detail an atomic level simulation could provide is simply useless in the grand scheme of things. Classical physics is more than enough for the vast majority of use cases and they can be simulated by computers. Eg, you can programmatically measure the load bearing on any part of a structure. And the more important thing, engineers can usually fall back to safety margins that “linearly scale” the provided confidence in a given case. What I mean by that, is that if a given part has to be this stable, as per the calculations, you can trivially make it 3x wider.
While a while loop in a computer program will eat away at any sort of redundancy you may introduce, and the complexity of computability itself simply leaves behind even mathematics. There is no universal way to prove a non-trivial property of an arbitrary program.
This isn’t really fair. Most buildings, public works, utilities and industrial processes are extremely vulnerable to the most basic of attacks, they just don’t get carried out as often in physical space because it’s logistically more difficult to execute.
Your claim is fundamentally "It's logistically easier to attack software, so such attacks will happen more often".
This is absolutely true, but it's also proportionally easier to defend software. It's insanely easy to test whether your software is vulnerable to SQL injection, it's not particularly easy to test whether your building can be destroyed with explosives.
Combine that with the fact that just about every piece of consumer software on the planet has a laundry list of bugs that don't require malicious intent to reproduce, and I find it very hard to accept that reasoning for software developers absconding responsibility.
Empirical/dynamic testing for vulnerabilities is not rigorous or complete in any any way, and is only viable for a relatively small subset of issues.
I'm only suggesting that holding programmers liable for security vulnerabilities isn't really precedented across any other engineering discipline. That's not to say there isn't tons of shitty software being shipped with reckless disregard for quality, and some reckoning there might be useful.
We don't expect buildings to hold up to physical attacks. Most would crumble immediately. Just like most hardware doesn't catastrophically fail through normal use.
Computers are one of the only things we expect flawless defense against malice.
Today when computers are connected to the whole world, they have to build safe. The analogy would be, if everybody in the whole world could access the buildings frontdoor. In a such scenario, the frontdoor would, of course, build very heavy.
I agree. Standards or requirements should be enforced, and if there's a failure in the company's infrastructure, a panel should investigate if it was due to negligence or non-compliance with the standards. Also, insurance should be mandatory. If a given online platform was a physical piece of infrastructure like a school or a bridge, current state of affairs would cause an uproar.
> Make them pay billions in damages every time somebody gets hacked because of their negligence.
The downside is companies will lock down their hardware even more out of fear of getting sued. It's utterly amazing this person managed to get custom firmware executing on the WiFi chip... stuff like Intel's or AMD's microcode is digitally signed (and iirc, also encrypted) instead of using a plain old XOR checksum, and I'd argue the world is off a lot less safe as a result.
This natural desire to cut corners by locking down devices will be mitigated by right to repair laws.
With that said, it always irks me when someone suggests regulation as a solution to misconduct by large corporations and someone chimes in "But they'll just misbehave in some other way."
If the entity that is misbehaving has changed the way that they're misbehaving in response to your regulation that means that your regulations worked and that you merely need to continue regulating the offender.
Just make it illegal to lock down hardware as well. Now they can't cut corners anymore and will have to actually develop good software.
Just keep making their "clever" workarounds illegal every single time until the desired outcome is achieved. They should have literally no choice other than to make a good product.
> Just make it illegal to lock down hardware as well. Now they can't cut corners anymore and will have to actually develop good software.
Sadly that one won't ever happen, the copyright mafia will do everything they can to prevent that. Just look at how Netflix is locking down people on rooted devices.
You should never type your seed phase on any computer. Hardware wallets will give you a randomized keymap for you to recover a seed phrase without using any of the real letters.
Why? There's a world of difference between a rich corporation marketing and selling products to consumers and developers publishing some code on the web. It is obvious to me that society expects a lot more from the former.
I disagree. FOSS and commercially licensed (and sold) software with EULAs are two very different things, and can be distinguished in whatever legal language implements these theoretical liabilities
"... and I can't see how the situation can be improved, at least for quite some time."
I can. But no one is going to listen to either of us, so what does it matter.
Here is how I would start to improve the situation.
Disconnect untrusted computers from the internet.
In other words the only computer that is allowed to access the internet directly is a computer that has all the properties desired for adequate security. Those properties could be things like the hardware being repairable, having an open BIOS and the bootloader and OS being open source and able to be compiled from source by the user easily. Call this computer a "gateway" if you like, or call it a "firewall", or call it whatever you want to call it. The esential point is that it is the one computer you believe you can best understand and control.
I would be willing to bet any amount of money that just disconnecting all Windows computers from the internet, i.e., no direct connection, would result in a dramatic drop in security problems.
Keyloggers are not very useful on a mass scale if they cannot transfer the keystrokes over the internet.
There was a time when not all computers had unfettered direct access to the internet. They worked just fine. Maybe even better than ones today that are incessantly trying to connect to some server.
> Disconnect untrusted computers from the internet.
Disconnect billions of devices? How would you even enforce this?
> I would be willing to bet any amount of money that just disconnecting all Windows computers from the internet, i.e., no direct connection, would result in a dramatic drop in security problems.
Not really sure I understand your point here. Why stop at just Windows? If we remove all computers from the internet we would be so much more secure.
I'm also not sure why you single out Windows when even the blog post demonstrates this key logger in Linux (which is open source).
> There was a time when not all computers had unfettered direct access to the internet. They worked just fine. Maybe even better than ones today that are incessantly trying to connect to some server.
I hope this is a troll rather than someone honestly believing such a statement. You're claiming disconnected computers are perhaps better... while writing on one connected to the internet.
I think you’re missing part of their point (which isn’t super clear). You can still surf on such a computer, by going through an http proxy on the same LAN (the “gateway” they’re talking about, or bastion host)
They could very much be writing that comment on such a machine.
Amazing how people can (mis)interpret (unclear) comments as if they were crystal clear. They make assumptions. They read things in that are not there. It is truly entertaining, I never mentioned Linux. I never mentioned "desktop". Nor did I suggest Windows users would not be able to access the internet. Nor did I suggest the computer with IP forwarding enabled (call it what you like) needs to do everything a "firewall" does.
Indeed, I am writing this comment on such a commputer that runs a proxy for all the other computers. That's only because I like to experiment with different proxy configs.
More specifically, that the host should not route public IP space but use a proxy for any outbound connection (and a load balancer/reverse proxy for any incoming)
Every org is different of course but in the general I agree that this should be a more common pattern.
Most popular Linux distros are in many ways more vulnerable than Windows. Microsoft employs actual security engineers for Windows. To give one example, X11 is still in wide use.
The secure Linux distros are all of the locked down kind, like Chrome OS and Android.
The reason why we aren't seeing widespread desktop Linux malware campaigns is because almost nobody uses desktop Linux. The year of the Linux desktop, whenever it will be, will be followed by the year of the Linux desktop malware.
I love open source and free software, but it's not inherently more secure.
You might be surprised to find that Windows has a similar problem to X11 - any GUI window can send messages to any other GUI window, and on consumer versions of windows you can't use multiple simultaneous user sessions to separate different applications.
It's true that windows has way more mitigation technologies, and X11 is more laissez-faire. But if you don't run untrusted or crappy software, linux can be pretty damn good. You just don't really know how crappy all the components of windows really are, or which mitigations are really useful or really working correctly, and in software with that much complexity there's always some stuff that isn't really working and nobody notices. In linux, if you really care, you can trim down to a very minimal curated setup, and that's really the only way to know what's really going on in your computer.
> I would be willing to bet any amount of money that just disconnecting all Windows computers from the internet, i.e., no direct connection, would result in a dramatic drop in security problems
Given how many security problems come from the internet, I imagine that there would be a dramatic drop in security problems if any platform with as much popularity as usage as was cut off from contacting other machines over the internet, even if the platform had above average security.
Although there is a reason I said Windows and not some OS that can be trimmed down and compiled from source by the user (not necessarily GNU/Linux, there are others), it does not matter so much what is the "platform" (I presume you mean OS) nor its popularity. The idea is that fewer of each user's computers, no matter what kernel they run, would be able to directly contact other computers over the internet.
Bluetooth is a dumpster fire of vulnerabilities already.
Where I live it's not too hard to wardrive around the block playing funny noises into random peoples' bluetooth speakers and headphones inside their homes.
Really interesting, this is the first time I hear anything about what is in those Realtek firmwares. Keylogger aside, is there anything fun or nefarious one could do with the radio?
Also, we use them at work in our products, and usually just get the firmware and driver binaries thrown over the wall by the board vendor, withouy any description or changelog. I'm tempted to throw a few different bins through Ghidra and see if I can tell what changed.
Considering people have been converting the PWM pin of a raspberry pi into a digital TV transmitter and the fact that all modern wi-fi chipsets are software defined, I think a lot of malicious stuff can be done with it if one really sets their mind to it. Much more than the regular deauth shenanigans.
Yes, it's very cool! But don't use it to transmit in practice though. The output is very dirty because it produces square waves which generate a lot of harmonics (emissions on unintended frequencies).
You can use this safely if you know what you're doing but only with a lot of filtering. Or by not transmitting as such but outputting into a receiver directly with some attenuation.
> Considering people have been converting the PWM pin of a raspberry pi into a digital TV transmitter
Somehow the world didn't end though?
Maybe we should just assume the RF spectrum can and will be interfered with regarding of regulation and design accordingly, rather than trying to put the cat in the bag? After all, that's the approach we take for security despite "hacking" being illegal in most countries, and yet we still use HTTPS and authentication.
There is a difference between transmitting on the TV band with a range of one room and sticking a transmitter tower up in your back yard. No one cares or can even detect low power unauthorized transmissions.
A firmware for the wifi/bluetooth can convince the embedded controller to pass the keys that are pressed on the keyboard and pass this data using wifi, is that?
If that is the case, my list of reasons to like open-source firmwares and dislike intel IME has just increased a bit more.
The EC has to be flashed too, so it’s not really convincing it of anything. It’s also worth noting that since the wifi firmware isn’t persistent you need to keep the compromised WiFi firmware in your Linux install. So wiping your disk would remove this hack.
> 8051s love talking to each other after all, otherwise USB would not exist.
Can anyone explain what the author meant by that? I thought 8051 is just an ISA, is there something special there for cross IC communication compared to other ISAs? And what the the connection to USB?
Due to its historical influences, 8051-based microcontrollers and cores are still widely used in a huge number of embedded devices and ASICs everywhere - motherboard EC, Ethernet, Wi-Fi controllers, this also includes the peripheral devices that plug into USB ports, like a mouse, a keyboard, a sensor, or industrial controllers, or whatever, so the first part of the joke is most communications via USB are just 8051s talking to each others. The second part of the joke is that even USB ASICs themselves, like USB hubs or host controllers, are often powered by 8051 cores.
I think the author's simply referencing the fact that it's a common chip used in many usb controllers and make it easy to build peripherals that work with USB standards.
Nice. I'm all for opening up hardware. Now if only someone broke HP's draconian firmware restrictions (verifies firmware at boot an reflashes anything "compromised" with a backup stored who knows where) that would open it up for some real security measures (ME cleaner, coreboot, etc.) and modding in general.
Preventing hackers from hacking sucks balls when you're that hacker hacking your own hardware. For me this is a feature and what differenciates a general purpose computer from a locked down games console.
Is this an actual implementation? Or is it just someone musing about what would be possible? Is it even possible for a Bluetooth chipset to read the traffic sent by the devices, or is the encryption handled by the CPU?
So how does Realwow work? I see the site and can enter some ID, but that request is not going to land magically and globally at my Realtek chip. What am I missing here?
> That "technology" included in Realtek is absolutely bonkers -- who asked for that functionality at a consumer level? No one.
What tech are we talking about? WoL is definitely appreciated in all devices, although the "RealWoW" thing is very much diminishing returns. Otherwise, everything is just normal programmable chips and DMA-type data movement, both of which are generally desirable.
nah. i'll take wifi hardware that doesn't have buggy layer 4+ features in firmware that hackers can exploit to turn my keystrokes into udp packets, thank you very much.
in fact, i think i'd prefer a computer that leaves all the layer 4+ up to the operating system as at least it has a chance of being audited.
that said, this raises an interesting point. the only way to really be sure is to sniff your own packets... but if everything moves to being encrypted that's going to get a lot harder...
The RealWoW stuff requires host cooperation to set the proper configuration fields. The card has very basic functionality to be pre-configured to respond to certain packets, but this needs to be set by the host - it is disabled by default and in fact the Linux driver doesn't even support it.
In addition if he could achieve code execution on the card it wouldn't matter whether the card has this functionality as he could implement it himself if needed.
sorry. regardless of whether or not you can change the firmware binaries to do what you want. i'm really not okay with half-assed remote management junk being baked into the nic of my personal laptop that bypasses any firewalls i can configure and is constructed from code i cannot review.
that is exactly the kind of crap that gets exploited.
This comment doesn't seem too related to the article except for the words "Jason Snell" and "Realtek", and both of those appear misused.
So I don't mean to be rude, but I'm guessing this is a chatbot? Skimmed for proper-nouns, then generic shrills about how the author and article are great and how technology's too complicated?
Oh no I mixed up social media handles I must be a chat bot
> Skimmed for proper-nouns
Oh no I mixed up social media handles I must be a chat bot
> then generic shrills
Huh? I'm complaining about the very real technology present in the Realtek chips that enables any moron with access to a web browser to send firmware-level commands anywhere in the world.
Did you even read the article?
> about how the author and article are great
Are you a chatbot? I didn't even sing about the article being great, I asked if anyone had a real consumer application for the tech presented as an attack vector in the article.
Go outside. Talk to a human being. I'm betting it's been a couple years for you if you're this bad at not only misjudging intention but going straight to "this must not be a human being, only a bot would respond with something I do not wholly understand".
