Recon 2022

Detect Me If You Can - Anti-Firmware Forensics
06-05, 15:30–16:00 (US/Eastern), Grand Salon

As firmware threats are becoming more prevalent, security companies are starting to provide UEFI firmware scanners to detect malicious firmware implants. These scanners first acquire a firmware image inside a SPI flash memory on hardware then parse and scan the image with known signatures.

Every software-based firmware acquisition on Intel platforms has a risk of being intercepted by SMM rootkits. This risk has been pointed out by security researchers for years. However, there has been no publicly-available implementation and no one has demonstrated the concept practically.

In this presentation, I'll explain about the firmware acquisition MitM attack PoC that I implemented to assess the risk correctly. I'll also show that the PoC can hide known bootkit components against both open and closed source firmware security tools. I believe that the findings from this research will be helpful for better firmware scanner implementations in the future.

The PoC will be published after the presentation.

See also:

Takahiro Haruyama is a Sr. Threat Researcher on the VMware Threat Analysis Unit (TAU), with over ten years of extensive experience and knowledge in malware analysis and digital forensics. He previously worked on reverse-engineering cyber espionage malware with Symantec's threat intelligence team. He has spoken at several famous conferences including Virus Bulletin, REcon, HITB, SANS DFIR Summit, BlackHat Briefings USA/Europe/Asia.