Slashdot Mirror
ASUS Delivers Its Updates Over HTTP With No Verification (softpedia.com)
The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler).
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."
What about the following:
1. The manufacturer publishes the updated firmware on their website
2. The manufacturer notifies the OS vendors
3. The OS vendors put the updated version of the firmware into their software repos
The manufacturer doesn't have to reinvent any wheel here, and the update process is as secure and as convenient as the normal OS update process is for the OS you are using.
1) Brand loyalty like sports team;
2) Unsolicited desire to talk about anal sex;
3) Condescending tone -
Apple user detected.
And what about all the people that suffer from the botnets created by this vulnerability?
In the absence of industry self-policing, maybe a couple of lawsuits over consequential damages resulting from such incompetent security design would help Asus understand what to do next...
I mean, maybe you don't expect these kinds of manufacturers to have the security and hardware/software design teams of an Apple or IBM (or the sense of responsibility), but cmon this is ridiculous.
If you can build a mass market laptop, you have the talent to implement a secure install process at least that an above-average high school programmer could write, and would make a second rate undergraduate project at best.
My conclusion must therefore be that this is intentional: because those who control the company, for whatever reason, desire an environment where the user enjoys no security. Perhaps it's to promote the usual Chinese "we're watching you always" MO.
Asus is not Hitler.
Which is actually pronounced "hoe hoe ba", is really called goat nuts. This is like totally for real (check the Wikipedia article). Yes, it's the shit in girly shamoo.
Don't use Windows!
If the OEM only allows signed BIOS updates (as they should be doing), this isn't an issue.
They certainly have the resources to hire people who understand security, but most companies don't. Here's something you might not expect to hear from a security professional such as myself - most companies probably SHOULDN'T hire a security expert. So they don't.
Why would I say perhaps they shouldn't hire someone like me? Because it doesn't take 40 hours a week for me to say "serve the update over TLS and sign the file". I could protect them from this level of stupid in 1 hour, the other 39 hours they don't really NEED a security expert.
IMHO what most companies should probably do is invite a security professional to join a web conference or meeting for 30 minutes to an hour at an early stage of a new software project, as the requirements are being firmed up. At this stage I'd hear "download updates" and I'd speak up.
Then invite your security pro back as the design as finalized, then once more just before release. In no more than three hours a security pro could avoid this type of egregious mistake, while also pointing out a couple of areas that affect reliability (which is also part of security).
This could cost $1,000 per project or even less if you engage your securiry pro on a regular basis. So you get 80% of the benefit of having a security professional on staff, at less than half the cost.
Thing about ASUS is, they do make some good hardware. Then they tack on stupid gimmicks and crap software. Like their high end sound cards sound pretty nice. Then there's a little speaker on the sound card to make "click" noises to emulate the sound of a relay, when switching output mode, etc. Who the hell is that for? Sure, audiophiles don't have a good reputation of critical thinking, but typically they only care about things that could theoretically affect the audio quality..
Seems like they design a good product, then the marketing department comes in and tries to add all their crap ideas, to fill the "features" section on their website. "We need an updater." Then their presumably understaffed software team gets to build it in presumably half the time it should actually take.
We no got to show you no steenkin' hashes.
I don't see any brand loyalty. He just stated that ASUS sucks, which they do.
ASUS used to be good back in the 90s and I've bought many of their motherboards. Some time after that they went to complete shit. Since 2012, I have had two ASUS laptops and two ASUS tablets prematurely fail with similar symptoms.
I never had to update BIOS just so it can support my new CPU. Upgradeable firmware is just asking for trouble.
If the flash image itself is signed by a private key, and the BIOS itself is used to verify the flash image using a public key that is embedded in the BIOS, then vulnerabilities in the transport layers are irrelevant. And before you say it: yes, it also assumes roll-back protection, etc. And it assumes the APIs used by the BIOS to verify the image aren't themselves subject to attack.
I honestly can't decide which is worse, this insanely insecure upgrade mechanism, or the fact that Softpedia are the ones breaking the story.
The other day my computer restarted from a power outage while the DSL connection was down, which means my annoying AT&T/Uverse modem eats all port 80/www traffic to redirect t its 'DSL Failed to Connect' HTML page.
Imagine my astonished horror to see pieces of this modem-generated page in the AVG dialog (I put the red stuff in). The firewall 'button' on the product's main screen, and the dynamic ad it places on the bottom, also the notification it puts on the bottom-right of the screen on boot.
So AVG is doing unencrypted HTTP to get its advertisements and HTML on-screen widgets. Click here to see their fake 'button' for the firewall which was visible to Wireshark. I understand when shareware does this... but AVG? An actual button on their product screen? WTF!
I hope someone from AVG who knows security reads this because I let them know about this systemic problem it and they started asking me irrelevant questions about my setup.
<blink>down the rabbit hole</blink>
This updater may be broken and insecure, but why the hell would anyone trust an automatic updater to do stuff like BIOS or UEFI updates?
This is like trusting a child with a handgun to play with and being shocked when someone gets shot.
If there's an update like that, the user should be notified, and if so inclined, should go see if it's something they want to install at a time of their choosing. Perhaps first backing up your current BIOS or UEFI and perhaps doing a data backup too, just in case. Because, you know, updates like that have been known to brick systems. They really should not be done unless there is an actual problem that will actually be solved by the update. But generally, leave the damn thing alone especially if you don't know what you are doing.
And if you do that, then these other problems are solved because the ASUS app or whatever doesn't have authority to update. Just uninstall it. Solved.
Sig for hire.
Asus uses 3 scheduled tasks to run their LiveUpdate.exe and UpdateChecker.exe. They're located under the root task folder, not the Asus folder.
...with using a Mac?
Having to explain to your parents that you're gay.
This is why the Next Generation of Open Source *has* to be hardware.
It is insane how much trust we still place in component manufacturers / assemblers that can easily be lazy, incompetent, compromised by TLAs of every country, or all three.
OEM PC makers are rather lazy at making their system apps and keeping them updated and secure. Sadly, it's the poorly educated PC user that suffers the most because they lack any skill to find updates themselves and install them without this kind of app. First thing I have always done is uninstall all the OEM apps when I buy a PC. You have to figure, the more these apps do to automate the update process. The more risk you accept that it may open up opportunity for malware.
If your running Windows 10, in most cases the Windows update's will provide basic driver support and going to the PC maker for drivers has become much less of a needed thing.
dickheads.
This story deflects from the worse problem... the OS that comes on your PC.. which currently is likely Windows 10.
If you are notified of a new BIOS go to Asus' website and download it via http or ftp and follow the instructions in the zip file.
Windows 10 already got you hosed.
Asus is a company that if they notice this story... will change what it takes to make it right. If it weren't for spies having admin access to so many Internet backbones and companies like Google and Facebook... it wouldn't be a problem. Who is going to go through the hassle of DNS poisoning to stick a hacked BIOS on little Billy's PC if it isn't a coordinated state-run formerly-NWO effort?
Asus is known for quality components. If you look on Newegg they are at the forefront of customer care. They respond to reviews.
Sophos Antivirus's AutoUpdate feature flows over HTTP. This has been a known issue since 2013 and Sophos doesn't care.
I am familiar with the old model, used by most large corporations. How well has that been working?
I'm also familiar with what I've been DOING for the last 20 years, a model that is commonplace in certain sectors.
> you won't get anyone that's not completely useless to sign on for that. ...
> *I have no idea what your security expertise might be, but you clearly know jack about consulting.
If you haven't been paying attention to Slashdot comments over the years, you can use Google to check out my credentials. You CAN then call me and discuss a project. No, I won't fly out to California to discuss my services; telephones were invented a long time ago, we can have a discussion that way. No, I won't come in for an interview. If you've been referred to me, you can trust that referral or not. No, I won't be paid six months from now, I take Visa, Mastercard, Amex and Paypal, or a retainer check ahead of time. Yes, I will give you my full attention for 45 minutes, think over your project this evening, and email my suggestions tomorrow, for $250.
Well, yes, that is easy to look back and see where a security consultant needs to be involved, but the reality is someone in charge needs to have enough security awareness to know when a security expert needs to be involved. In fact, all programmers should have enough security awareness to at least know when to seek advice regarding security.