Tesla Whistleblower Says 'Autopilot' System Is Not Safe Enough To Be Used On Public Roads::"It affects all of us because we are essentially experiments in public roads."
Firmware security company Binarly on Wednesday disclosed the details of an attack method that can be used to compromise many consumer and enterprise devices by leveraging malicious UEFI logo images.
The attack method, dubbed LogoFAIL, exploits vulnerabilities in the image parsers used by the UEFI firmware to display logos during the boot process or in the BIOS setup. Getting the affected parsers to process a specially crafted image can enable the attacker to hijack the execution flow and run arbitrary code.
Hackers can use the LogoFAIL attack to compromise the entire system and bypass security measures such as Secure Boot.
“These vulnerabilities can compromise the entire system’s security, rendering ‘below-the-OS’ security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of compromise means attackers can gain deep control over the affected systems,” Binarly explained.
Binarly’s analysis showed that UEFI vendors use various types of parsers for BMP, PNG, JPEG, GIF and other types of images. The security firm’s research targeted firmware from Insyde, AMI and Phoenix and led to the discovery of two dozen vulnerabilities, more than half of which have been assigned a ‘high severity’ rating.
The impacted firmware is shipped with hundreds of consumer and enterprise computer models — including x86 and ARM-based devices — made by companies such as Acer, Dell, Framework, Fujitsu, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, and Supermicro. This means millions of devices worldwide could be exposed to attacks.
A LogoFAIL attack can be launched by abusing the firmware update procedure to replace the legitimate logo with a malicious version. Attacks through physical access may also be possible, using an SPI flash programmer, assuming that the logo is not protected by hardware verified boot technologies.
Some vendors — this includes Intel, Acer and Lenovo — offer features that enable users to customize the logos displayed during boot, which can make it possible to launch LogoFAIL attacks from the OS, without the need for physical access to the device.
It’s important to note that while image parser vulnerabilities have been found in devices from all of the aforementioned vendors, they cannot always be exploited. In Dell’s case, for instance, the logo is protected by Intel Boot Guard, which prevents its replacement even if the attacker has physical access to the targeted system. In addition, Dell does not offer any logo customization features.
Details of the attack were presented by Binarly at the Black Hat Europe conference on Wednesday, and the company has published a technical blog post describing its findings.
The security firm has published a video showing a proof-of-concept (PoC) LogoFAIL exploit in action, demonstrating how an attacker who has admin permissions on the operating system can escalate privileges to the firmware level.
The vulnerabilities were reported to impacted vendors through CERT/CC several months ago, but it can take a lot of time for patches for these types of security holes to reach end devices, even if vendors create the fixes.
Just seems like everything is "this company did this to their employees" and less about "this novel messaging protocol offers these measured pros and cons." Or similar
And yes, I could post things, but I'm referring to what hits the top, 12h.
Can anyone rec communities with less of a biz and politics and wfh vs in-office vibe?
Gemini is available to consumers in Bard or Pixel 8 Pro now, with an enterprise model coming Dec. 13.
America’s Most Exciting High Speed Rail Project Gets $3 Billion Grant From Feds::The Southern California-to-Las Vegas route makes total sense and involves no wishful thinking in order to be a resounding success.
Norwegian union join Sweden and Denmark in strike against Tesla::Fellesforbundet vil sette i gang boikottaksjoner mot Tesla i Sverige hvis arbeidskonflikten ikke ender i tariffavtale innen 20. desember.
AMD today announced the Instinct MI300 range, a direct rival to Nvidia's H100 AI accelerators. AMD's units promise roughly 10% to 20% faster times when inferencing and equivalent speeds for training.
Tesla strike in Sweden now involves Denmark, may spread to Norway and Finland — “Just like companies, the trade union movement is global in the fight to protect workers,” says chair of Danish union::Tesla is locked in a titanic struggle with Sweden's largest labor union. The result could have repercussions around the world.
We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.
Gemini is Google's natively multimodal AI model capable of reasoning across text, images, audio, video and code. This video highlights some of their favorite interactions with Gemini. Learn more and try the model: https://deepmind.google/gemini
Amazon's strict return-to-office policy is pushing more employees into quitting::undefined
Twitch to shut down in Korea over ‘prohibitively expensive’ network fees::Twitch, the popular video streaming service, plans to shut down its business in South Korea on February 27 after finding that operating in one of the Twitch plans to shut down its business in South Korea after network costs became "prohibitively expensive" in the leading esports market.
PlayStation is erasing 1,318 seasons of Discovery shows from customer libraries | The change comes as Warner Bros. tries to add subscribers to Max, Discovery+ apps.::The change comes as Warner Bros. tries to add subscribers to Max, Discovery+ apps.
This is a most excellent place for technology news and articles.
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed