Vulnerabilities / Threats

7/24/2017
01:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

7 Hardware & Firmware Hacks Highlighted at Black Hat 2017

Researchers will hammer home potentially devastating attacks, and demo a range of vulnerabilities, techniques and tools.
Previous
1 of 8
Next

Image Source: Adobe Stock

Image Source: Adobe Stock

When enterprises build their security models based on implied trust at the hardware and firmware level, they're building them on a foundation of sand. Security researchers are going to repeatedly hammer that lesson home at Black Hat this week as they demonstrate a range of vulnerabilities, attack techniques and tools designed to get as close to the bare metal of systems as possible.

"Researchers have started really challenging the assumptions that we have about the security of platforms and digging into that," says Stefano Zanero, a researcher and associate professor at Politecnico di Milano, as well as a Black Hat review board member. "These are the very basic hardware-related features of our computers — they are things that a very, very limited amount of people have been looking into for decades, but they are growing in importance right now."

It's a dangerous category of flaws as they tend to render protections higher up the platform stack completely moot. Exploiting low-level vulnerabilities in hardware, firmware and instruction sets makes it possible for attackers to quietly and persistently take full control over even the most well-patched and defended devices.

Here are the talks most likely to make waves this week.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10869
PUBLISHED: 2018-07-19
redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
CVE-2018-10870
PUBLISHED: 2018-07-19
redhat-certification does not properly sanitize paths in rhcertStore.py:__saveResultsFile. A remote attacker could use this flaw to overwrite any file, potentially gaining remote code execution.
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...