NIST CSF, JTAG vs (OG) Xbox, Tricked Ya, Intel’s Security, & Josh Debates Jeff – PSW #795

"Moreover, you don't even to be a card-playing genius to make sense of the Deckmate 2's data, it even has a built-in camera, for deck verification purposes. IOActive found that the camera feed could be accessed to learn the entire order of the deck in real time. An obvious cheating method which could stem from this is that visual data could be sent to a nearby smartphone via Bluetooth, which the IOActive team also tested. The second person could work in cahoots with the player at the table, to signal a decision or strategy. "

"It certainly hasn't been a good week for Intel. After a year-long embargo, the chipmaker had finally lifted the curtains Downfall, a vulnerability with costly performance penalties that impacts multiple generations of Intel processors. And now, Intel's internal team has discovered vulnerabilities with Arc A770 and Arc A750 graphics cards sold between October and December 2022. The advisory seemingly indicates that the flaw isn't widespread but only affects batches sold during the mentioned timeframe." - Grossly overstated. Intel has done an outstanding job ensuring the security of their platforms. Lets not forget AMD has also suffered from speculative execution-style vulnerabilities recently as well. Also, the graphics card vulnerabilities are not a huge deal and are in the DoS category.

Really amazing article: "This blogpost revisited an old idea that the original Microsoft Xbox could have been hacked through Intel’s x86 CPU JTAG interface. A custom CPU interposer PCB was created to breakout the JTAG signals to a CodeTAP hardware debugger. The secret Xbox bootrom was successfully dumped via Intel JTAG, with real debug capabilities from the very first instruction of execution - closing the chapter on a 20 year old theory."

Awesome research, and a huge failure in the implementation of crypto: "Unfortunately, the fix OSDP developers devised does nothing to solve that problem. When transmitting an SCBK to a new device, the standard encrypts it with a default key, known as an SCBK-D. Since the SCBK-D is known to all devices—including the researchers’ covert listening device—it’s trivial for the attackers to obtain a valid SCBK. From there, the attackers can view all messages transmitted on the network, including secret credentials stored on badges presented at security checkpoints."

This is a pretty crazy story.

"Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc."

This is a must read article on this research. Really well done. I like this part: "However, when we took a closer look, we noticed that something did happen: a new connection to our device was created. This meant that we did not get blocked by Western Digital cloud, instead we reached the device and did not have permissions. This was actually a pretty big deal, because we actually reached the device which was sitting in an internal network and was not network exposed. This meant that by only knowing a device GUID, we could interact with it. While this did not give us immediate control over the device, just gaining access was a good point to start." - And how they used the CTL to enumerate the GUID of all NAS devices!

"We sacrificed our first printer to desolder the flash chip and dump the firmware and used the second one to test against. Unfortunately, both of our printers had toner issues which disabled large parts of the functionality of the printer including PJL."

"The vulnerabilities affect the CODESYS V3 software development kit. Developers inside companies such as Schneider Electric and WAGO use the platform-independent tools to develop programmable logic controllers, the toaster-sized devices that open and close valves, turn rotors, and control various other physical devices in industrial facilities worldwide." - Similar to vulnerabilities in reference code, I think this is a bigger deal than people realize. Again, the supply chain comes into play in order to get a fix rolled out.

"Using multiple vulnerabilities found in the software, the researchers bypassed authentication allowing them to see and configure devices on that network. With initial access to the software, hackers could then to pivot to power distribution unit’s that are essentially glorified smart power strips that monitors energy usage"

"For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way." - Let's not forget the hardware supply chain. Recent vulnerabilities in CPUs I would dub as supply chain-related vulnerabilities as you have to navigate the complex supply chain to get a fix.

I can't believe NIST CSF is almost 10 years old! The draft v2.0 is now available for review. This article highlights some of the changes, but heck - go find the draft and take a look for yourself.

Here - I made it easy for you. Enjoy!

Note the connection to DEF CON: "DARPA will host an open competition for AIxCC where up to 20 teams will advance to the semifinals next August at the DEF CON 2024 conference, followed by up to five teams advancing to the finals, according to the agency’s website. In August 2025, three winners will be chosen at DEF CON 2025."

Remember the other week we were talking about the legal term, "data breach"? This is an example, and it wasn't even a cyber attack.

"There’s a small sect of Bitcoiners that believes Satoshi Nakamoto — the creator of Bitcoin — is, in fact, the United States National Security Agency in disguise."

I wasn't actually around for the evacuation, but thanks for the diligence of DEF CON organizers and local authorities.

Lots of cool stuff at DEF CON this year. Seems like there were a dozen new villages, too.

This was probably the coolest thing that happened at DEF CON last week. Aside from the huge, free pen test that was targeted at the "Sphere".

Et tu, IBM?