Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)
Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)
Posted Dec 7, 2023 21:27 UTC (Thu) by mat2 (guest, #100235)In reply to: Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica) by rweikusat2
Parent article: Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack (Ars Technica)
Also, Intel Boot Guard (the verification of UEFI image hash with fuses embedded into the CPU die) is done for the sake of "security", but more importantly it does prevent the user from exchanging the CPU in their laptop (which harms hardware manufacturers) or a proprietary firmware with Coreboot. For more see the Matthew Garrett's article ( https://mjg59.dreamwidth.org/58424.html ).
Posted Dec 8, 2023 3:08 UTC (Fri)
by khim (subscriber, #9252)
[Link] (2 responses)
I suspect it's a bit of both. If they are after the ability to, e.g., remove mail (or “expiring video” from your phone) then it's precisely the inability to run your code on your own device that they are seeking. You may not like it, but “owner of the device may do something to his (or her) own device” is very much a security vulnerability, and that something is not limited to “make copy of movie rented for 24 hours”. Whether it's goal worth pursuing is entirely different question, but a lot of people (and not just in government or movie industry) say the answer is “yes”.
Posted Dec 8, 2023 20:17 UTC (Fri)
by mat2 (guest, #100235)
[Link] (1 responses)
Posted Dec 8, 2023 20:19 UTC (Fri)
by mat2 (guest, #100235)
[Link]
I meant that targeting these devices does not pay off to the criminals because these devices are rare. It is similar with viruses for Linux.
> For example, devices with modified Android systems (like LineageOS) are "insecure" and therefore many applications refuse to run on them. In reality, Google with DRM tools like Google Play Integrity likely tries to take a tougher grip on Android and limit any forks or free variants.
Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)
Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)
You may not like it, but “owner of the device may do something to his (or her) own device” is very much a security vulnerability, and that something is not limited to “make copy of movie rented for 24 hours”.
The security vulnerabilities you write about are minuscule compared to the real threats and can be further minimized with proper engineering and such. For example, attacks that target modified Android devices are rare because few people root their devices and so the criminals do not target them. Also, the LogoFAIL firmware attack is not likely to be used in the wild because it requires kernel level access in the first place, is likely complicated, device-specific and most criminals do not bother to get such persistence.
I simply don't want to live in a world in which large corporations control which software we can use and which cannot.
Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)