Sunday, February 28, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Unpatchable security flaw found in popular SoC boards

August 20, 2019
in Internet Security
Unpatchable security flaw found in popular SoC boards
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image source: Xilinx.com

Security researchers have discovered an unpatchable security flaw in a popular brand of system-on-chip (SoC) boards manufactured by Xilinx.

The vulnerable component is Xilinx’s Zynq UltraScale+ brand, which includes system-on-chip (SoC), multi-processor system-on-chip (MPSoC), and radio frequency system-on-chip (RFSoC) products used inside automotive, aviation, consumer electronics, industrial, and military components.

You might also like

Why would you ever trust Amazon’s Alexa after this?

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers

Oxford University lab with COVID-19 research links targeted by hackers

Two bugs found, but one is unpatchable

According to security researchers with Inverse Path — F-Secure’s hardware security team — these SoCs contain security flaws that undermine their secure boot capabilities.

F-Secure said that the Encrypt Only secure boot mode of these SoCs contains two security flaws, one of which is unpatchable by a software update, and requires “a new silicon revision” from the vendor.

In a technical report published on GitHub, researchers said the Xilinx Zynq UltraScale+ Encrypt Only secure boot mode does not encrypt boot image metadata, which leaves this data vulnerable to malicious modifications.

“Attackers able tamper with the boot header in the early stages of the boot procedure can modify its contents to execute arbitrary code, thereby bypassing the security measures offered by the ‘encrypt only’ mode,” said F-Secure’s Adam Pilkey.

Researchers also found a second bug. While the first was in the boot header parsing performed by the boot ROM, the second bug was in the parsing of partition header tables. This second bug also allowed attackers to run arbitrary code, but unlike the first, this was patchable.

However, Xilinx did not release a software fix for this second bug, as attackers could always bypass any patch the company would have released by exploiting the first bug.

Limited attack surface, but a devastating attack if it happens

Obviously, only Zynq UltraScale+ SoCs configured to boot in the “encrypt only” secure boot mode are affected by this issue. This secure boot mode is often used by equipment vendors to enforce authentication and confidentiality of firmware and other software assets loaded inside devices that use Zynq UltraScale+ SoCs as their internal computing component.

Furthermore, attackers can only exploit these two security flaws with physical access to a device, in order to perform a DPA (Differential Power Analysis) attack on the SoCs boot up sequence.

However, most of the devices where Zynq UltraScale+ SoCs are used are generally used in offline scenarios, meaning a physical attack would often be the only attack vector anyway.

In a security advisory released following F-Secure’s findings, Xilinx said it modified its technical manuals so equipment vendors which use Zynq UltraScale+ SoCs will know to use the unaffected and stronger Hardware Root of Trust (HWRoT) secure boot mode instead of the weaker Encryption Only one.

“The HWRoT boot mode does authenticate the boot and partition headers,” Xilinx said.

“For systems that must use the Encrypt Only boot mode, customers are advised to consider system level protections that take into account DPA, unauthenticated boot, and partition header attack vectors.”

F-Secure said it found these two vulnerabilities while performing a security audit.

More vulnerability reports:

Credit: Zdnet

Previous Post

How Activity Logs Help WordPress Admins Better Manage Website Security

Next Post

AI, Showbiz, and Cause for Concern (x2)

Related Posts

Why would you ever trust Amazon’s Alexa after this?
Internet Security

Why would you ever trust Amazon’s Alexa after this?

February 28, 2021
Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers
Internet Security

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers

February 27, 2021
Oxford University lab with COVID-19 research links targeted by hackers
Internet Security

Oxford University lab with COVID-19 research links targeted by hackers

February 27, 2021
Fastest VPN in 2021 | ZDNet
Internet Security

Fastest VPN in 2021 | ZDNet

February 27, 2021
Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
Next Post
AI, Showbiz, and Cause for Concern (x2)

AI, Showbiz, and Cause for Concern (x2)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Why would you ever trust Amazon’s Alexa after this?
Internet Security

Why would you ever trust Amazon’s Alexa after this?

February 28, 2021
AI & ML Are Not Same. Here's Why – Analytics India Magazine
Machine Learning

AI & ML Are Not Same. Here's Why – Analytics India Magazine

February 27, 2021
Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers
Internet Security

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers

February 27, 2021
Is Wattpad and its machine learning tool the future of TV? — Quartz
Machine Learning

Is Wattpad and its machine learning tool the future of TV? — Quartz

February 27, 2021
Oxford University lab with COVID-19 research links targeted by hackers
Internet Security

Oxford University lab with COVID-19 research links targeted by hackers

February 27, 2021
The Education Industrial Complex: The Hammer We Have
Data Science

The Education Industrial Complex: The Hammer We Have

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Why would you ever trust Amazon’s Alexa after this? February 28, 2021
  • AI & ML Are Not Same. Here's Why – Analytics India Magazine February 27, 2021
  • Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers February 27, 2021
  • Is Wattpad and its machine learning tool the future of TV? — Quartz February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates