submitted 1 hour ago by L4s to c/technology

Tesla Whistleblower Says 'Autopilot' System Is Not Safe Enough To Be Used On Public Roads::"It affects all of us because we are essentially experiments in public roads."

submitted 1 hour ago by [email protected] to c/technology

Firmware security company Binarly on Wednesday disclosed the details of an attack method that can be used to compromise many consumer and enterprise devices by leveraging malicious UEFI logo images.

The attack method, dubbed LogoFAIL, exploits vulnerabilities in the image parsers used by the UEFI firmware to display logos during the boot process or in the BIOS setup. Getting the affected parsers to process a specially crafted image can enable the attacker to hijack the execution flow and run arbitrary code.

Hackers can use the LogoFAIL attack to compromise the entire system and bypass security measures such as Secure Boot.

“These vulnerabilities can compromise the entire system’s security, rendering ‘below-the-OS’ security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of compromise means attackers can gain deep control over the affected systems,” Binarly explained.

Binarly’s analysis showed that UEFI vendors use various types of parsers for BMP, PNG, JPEG, GIF and other types of images. The security firm’s research targeted firmware from Insyde, AMI and Phoenix and led to the discovery of two dozen vulnerabilities, more than half of which have been assigned a ‘high severity’ rating.

The impacted firmware is shipped with hundreds of consumer and enterprise computer models — including x86 and ARM-based devices — made by companies such as Acer, Dell, Framework, Fujitsu, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, and Supermicro. This means millions of devices worldwide could be exposed to attacks.

A LogoFAIL attack can be launched by abusing the firmware update procedure to replace the legitimate logo with a malicious version. Attacks through physical access may also be possible, using an SPI flash programmer, assuming that the logo is not protected by hardware verified boot technologies.

Some vendors — this includes Intel, Acer and Lenovo — offer features that enable users to customize the logos displayed during boot, which can make it possible to launch LogoFAIL attacks from the OS, without the need for physical access to the device.

It’s important to note that while image parser vulnerabilities have been found in devices from all of the aforementioned vendors, they cannot always be exploited. In Dell’s case, for instance, the logo is protected by Intel Boot Guard, which prevents its replacement even if the attacker has physical access to the targeted system. In addition, Dell does not offer any logo customization features.

Details of the attack were presented by Binarly at the Black Hat Europe conference on Wednesday, and the company has published a technical blog post describing its findings.

The security firm has published a video showing a proof-of-concept (PoC) LogoFAIL exploit in action, demonstrating how an attacker who has admin permissions on the operating system can escalate privileges to the firmware level.

The vulnerabilities were reported to impacted vendors through CERT/CC several months ago, but it can take a lot of time for patches for these types of security holes to reach end devices, even if vendors create the fixes.

submitted 46 minutes ago by ElectroVagrant to c/technology
submitted 2 hours ago by [email protected] to c/technology

Just seems like everything is "this company did this to their employees" and less about "this novel messaging protocol offers these measured pros and cons." Or similar

And yes, I could post things, but I'm referring to what hits the top, 12h.

Can anyone rec communities with less of a biz and politics and wfh vs in-office vibe?

submitted 2 hours ago by GutsBerserk to c/technology

Gemini is available to consumers in Bard or Pixel 8 Pro now, with an enterprise model coming Dec. 13.

submitted 3 hours ago by [email protected] to c/technology
submitted 3 hours ago by L4s to c/technology

America’s Most Exciting High Speed Rail Project Gets $3 Billion Grant From Feds::The Southern California-to-Las Vegas route makes total sense and involves no wishful thinking in order to be a resounding success.

submitted 5 hours ago by L4s to c/technology

Norwegian union join Sweden and Denmark in strike against Tesla::Fellesforbundet vil sette i gang boikottaksjoner mot Tesla i Sverige hvis arbeidskonflikten ikke ender i tariffavtale innen 20. desember.

submitted 4 hours ago by redditsucksdoughnuts to c/technology

AMD today announced the Instinct MI300 range, a direct rival to Nvidia's H100 AI accelerators. AMD's units promise roughly 10% to 20% faster times when inferencing and equivalent speeds for training.

submitted 6 hours ago by thehatfox to c/technology
submitted 7 hours ago by L4s to c/technology

Tesla strike in Sweden now involves Denmark, may spread to Norway and Finland — “Just like companies, the trade union movement is global in the fight to protect workers,” says chair of Danish union::Tesla is locked in a titanic struggle with Sweden's largest labor union. The result could have repercussions around the world.

submitted 8 hours ago by kinther to c/technology
submitted 6 hours ago by PoseidonsWake to c/technology

We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.

submitted 8 hours ago by [email protected] to c/technology
submitted 9 hours ago by [email protected] to c/technology
submitted 6 hours ago by [email protected] to c/technology

Gemini is Google's natively multimodal AI model capable of reasoning across text, images, audio, video and code. This video highlights some of their favorite interactions with Gemini. Learn more and try the model: https://deepmind.google/gemini

submitted 10 hours ago by fne8w2ah to c/technology
submitted 11 hours ago by L4s to c/technology

Amazon's strict return-to-office policy is pushing more employees into quitting::undefined

submitted 9 hours ago by L4s to c/technology

Twitch to shut down in Korea over ‘prohibitively expensive’ network fees::Twitch, the popular video streaming service, plans to shut down its business in South Korea on February 27 after finding that operating in one of the Twitch plans to shut down its business in South Korea after network costs became "prohibitively expensive" in the leading esports market.

submitted 13 hours ago by DannyMac to c/technology
submitted 8 hours ago by theherk to c/technology
submitted 13 hours ago by L4s to c/technology

PlayStation is erasing 1,318 seasons of Discovery shows from customer libraries | The change comes as Warner Bros. tries to add subscribers to Max, Discovery+ apps.::The change comes as Warner Bros. tries to add subscribers to Max, Discovery+ apps.

submitted 14 hours ago by DannyMac to c/technology
Gemini - Google DeepMind (deepmind.google)
submitted 8 hours ago by kinther to c/technology
submitted 11 hours ago by [email protected] to c/technology
view more: next ›


48255 readers
1094 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 5 months ago