ASUS Delivers Its Updates Over HTTP With No Verification

The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler).
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."

What about

[NotInHere]

What about the following:

1. The manufacturer publishes the updated firmware on their website
2. The manufacturer notifies the OS vendors
3. The OS vendors put the updated version of the firmware into their software repos

The manufacturer doesn't have to reinvent any wheel here, and the update process is as secure and as convenient as the normal OS update process is for the OS you are using.

Re:What about

[phizi0n]

You left out everything that is wrong with the process. Updates should be delivered through an encrypted connection to prevent man in the middle attacks, and the files should be verified with hashes at the very least.

Re:What about

[NotInHere]

Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.

Re:What about

[TechyImmigrant]

Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.

What OS?
We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.

Re:What about

[iCEBaLM]

You're just pushing the functionality down a level so instead of the user having the option to remove it or not, now the user has to have it because it's part of the OS.

Re:What about

[Lumpy]

Or like ASUS does it, makes you burn a DOS boot CD to install the firmware..... no thanks.

If they cant update the firmware from the host OS, then their programmers are zero talent hacks.

Re:What about

[NotInHere]

The BIOS has no care what operating system is installed, nor should it.

So why should the BIOS updates depend on an userspace program?? There is no such thing as OS independent userspace programs, so every updater the hardware manufacturer can ever write will require some OS to be installed.

You are suggesting microsoft, apple, redhat, BSD, etc. should make an updater for every type of hardware out there, even the ones they don't know about.

There should be some standardized interface where the OS can present the BIOS a firmware image and if the BIOS verifies the signature then it will install it. There is no need for some userspace program filling up the system tray and connecting each 30 minutes with some hardware vendor server.

Re:What about

[NotInHere]

We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.

If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.

Yeah, UEFI might be a good place to talk about this.

Of course, it is a nice feature if you can update the firmware e.g. via an usb stick you put into the computer, and then you go to the BIOS menu and select "update firmware".

But most people won't need it. Either way, the story was about some userspace windows program that probably sits in the tray bar and shows its splash screen if you log in, one which apparently used HTTP to download the firmware update.

I think life is better if you don't need to have such a program on your computer. Even if you aren't annoyed by some process using up your RAM and so on, you might get into trouble if you install BSD or linux or Haiku OS or anything else and there is no version of the firmware updater available.

Re:What about

[NotInHere]

Well a sane OS will give the user the option to disable it.

Re:What about

[Opportunist]

Why should every OS have to deal with firmware, something that SHOULD happen long before any OS is involved (yeah, I know that thanks to UEFI this safeguard has gone out the window now)?

Re:What about

[Opportunist]

What the hell are you talking about? You can without a problem install a new firmware, with or without trojan, right out of Windows.

Re:What about

[NotInHere]

Well its better than userspace programs dealing with firmware. AND it is better if the OS handles firmware upgrades than the firmware phoning home, completely separately from the OS.

Re:What about

[cheater512]

And the OS should also handle installation of programs and keeping them up to date.

Oh wait my computer has done this for over a decade. Love Linux's lack of useless install wizards. :)

Re:What about

[TechyImmigrant]

We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.

That's clearly not what I said. I was questioning the absence of addressing the relevant issue of updating in the absence of an OS.
I would expect some kind of signing so that the code it fetches from wherever it is pointed to either by the user or self configuration or malicious activity can be validated and the user told that status and the user given policy control over what to do about it. The user might be writing their own code and know it isn't signed by the board vendor, but most users want to know that they're getting the right image from the board and not something else.
 

Re:What about

[Opportunist]

The point is that neither is good. A firmware should be the final safeguard against being compromised. Last line of defense. And in this function, updating it should never be something that can happen without the user's knowledge.

An UEFI update CAN happen without a user's knowledge. And that's dangerous.

Re:There's a problem here?

1) Brand loyalty like sports team;
2) Unsolicited desire to talk about anal sex;
3) Condescending tone -

Apple user detected.

Re:There's a problem here?

[phizi0n]

And what about all the people that suffer from the botnets created by this vulnerability?

suggestion

[supernova87a]

In the absence of industry self-policing, maybe a couple of lawsuits over consequential damages resulting from such incompetent security design would help Asus understand what to do next...

I mean, maybe you don't expect these kinds of manufacturers to have the security and hardware/software design teams of an Apple or IBM (or the sense of responsibility), but cmon this is ridiculous.

Re:suggestion

[michelcolman]

You'll first have to prove that you incurred actual damage because of this. Someone must actually get hacked by a man in the middle before they can sue Asus. Until that happens, they're in the clear.

Re:suggestion

[retchdog]

it would still be hard to show damages.

a much more effective way of getting this fixed would be to write code which deletes key system files on their machine and replaces them with the message you suggested. you could even fund your charity-hacking by scanning the drive for poorly-encrypted account information and bitcoin wallets, or by encrypting personal files and holding them ransom!

Re:suggestion

[Coren22]

TRIGGER WARNING: YOU WERE MOLESTED AS A CHILD.

I was molested as a child? I never knew...this explains so much...

Re:suggestion

[Coren22]

Hmm, talking behind your back? Wouldn't that be private messaging?

Posting on a public forum that you are known to read is not, and never could be described as talking behind your back. Are you delusional APK?

Re:suggestion

[Coren22]

That's 1.

https://slashdot.org/comments....

Re:Oh please, this is intentional.

[Rick+Zeman]

If you can build a mass market laptop, you have the talent to implement a secure install process at least that an above-average high school programmer could write, and would make a second rate undergraduate project at best.

My conclusion must therefore be that this is intentional: because those who control the company, for whatever reason, desire an environment where the user enjoys no security.

Or have at least created an environment where both a white hat and US-CERT are told to "go away."

Re:Oh please, this is intentional.

[retchdog]

asus is taiwanese. i doubt that they have a whole lot of love for "the usual Chinese MO".

Re:Jojoba

[retchdog]

jojoba oil is used in a lot of things, both industrial and cosmetic.

60 minutes with a security professional

[raymorris]

They certainly have the resources to hire people who understand security, but most companies don't. Here's something you might not expect to hear from a security professional such as myself - most companies probably SHOULDN'T hire a security expert. So they don't.

Why would I say perhaps they shouldn't hire someone like me? Because it doesn't take 40 hours a week for me to say "serve the update over TLS and sign the file". I could protect them from this level of stupid in 1 hour, the other 39 hours they don't really NEED a security expert.

IMHO what most companies should probably do is invite a security professional to join a web conference or meeting for 30 minutes to an hour at an early stage of a new software project, as the requirements are being firmed up. At this stage I'd hear "download updates" and I'd speak up.

Then invite your security pro back as the design as finalized, then once more just before release. In no more than three hours a security pro could avoid this type of egregious mistake, while also pointing out a couple of areas that affect reliability (which is also part of security).

This could cost $1,000 per project or even less if you engage your securiry pro on a regular basis. So you get 80% of the benefit of having a security professional on staff, at less than half the cost.

Re:60 minutes with a security professional

[Zaelath]

In reality they have hundreds of these conversations and the updates were an add-on at the end. It's never a 30 minute engagement and besides, if you were actually a security consultant* you'd know the cost of sales for a 1 hour engagement means you won't get anyone that's not completely useless to sign on for that. I've never even seen a contract for a /day/ and you're suggesting 3x 1 hour engagements? That's laughable.

That's not to say outsourcing security is a bad idea, but your proposal sucks.

*I have no idea what your security expertise might be, but you clearly know jack about consulting.

Re:UEFI is a horrible mess

I definitely recall boards that needed bios updates to support new generation of cpu.

AVG uses INSECURE connections too.

[TheRealHocusLocus]

The other day my computer restarted from a power outage while the DSL connection was down, which means my annoying AT&T/Uverse modem eats all port 80/www traffic to redirect t its 'DSL Failed to Connect' HTML page.

Imagine my astonished horror to see pieces of this modem-generated page in the AVG dialog (I put the red stuff in). The firewall 'button' on the product's main screen, and the dynamic ad it places on the bottom, also the notification it puts on the bottom-right of the screen on boot.

So AVG is doing unencrypted HTTP to get its advertisements and HTML on-screen widgets. Click here to see their fake 'button' for the firewall which was visible to Wireshark. I understand when shareware does this... but AVG? An actual button on their product screen? WTF!

I hope someone from AVG who knows security reads this because I let them know about this systemic problem it and they started asking me irrelevant questions about my setup.

Re:AVG uses INSECURE connections too.

[DigiShaman]

I'm flummoxed here. One one hand, you're obviously smart and competent to be aware of such things. On the other, WTF MAN were you thinking??!!! AVG IS SHIT; and has been for years. Why??

Might I recommend something like Bitdefender (my personal trusted favorite), Norton AV, or even Kaspersky?

Re:AVG uses INSECURE connections too.

[TheRealHocusLocus]

I'm flummoxed here. One one hand, you're obviously smart and competent to be aware of such things. On the other, WTF MAN were you thinking??!!! AVG IS SHIT; and has been for years. Why?? Might I recommend something like Bitdefender (my personal trusted favorite), Norton AV, or even Kaspersky?

Thanks for the heads-up. Yes, Bitdefender and Kaspersky are on my radar as excellent products (and av-comparatives.org agrees with you) and I guess I could say there's a great deal of loyalty in my choice. I've been following AVG the company since the days 'Stoned' was still making the rounds and they've been consistent. Like any PC tech, my clients have run the gamut of the corporate "Just give me the bottom line and I'll write you a check" ... to users who say "If I have to buy something else, it'll have to come out of your fee." For the latter I have always (gratefully) left them with AVG Free, which was the first robust $0 anti-virus package introduced. The only major cleanup required so far being instances where someone's kid turned it off and left it off. And a case where someone accidentally opted for an 'upgrade' to an AVG product with a trial period.

But I was also an early adopter of NoScript and coach my clients on its use, tolerance of minor formatting problems with js disabled, and the general value of whitelisting as opposed to buying into schemes where your browser needs to do continuous lookups for blacklisting. Noscript, no toolbars, no 'Web TuneUp'. This leaves few attack vectors.

I've had massive XP uptimes on my machine and only had AVG go ballistic bananas once in a way that locked the system... when I was trying to install a media product that turned out to be building a bunch of EXE files on the fly with hundreds of separate writes, instead of just assembling the damned things first and renaming to EXE when done. Of course the developers shrugged this off as AVG's fault and the only solution being to disable it, but I gave AVG a pass, it was just trying to re-scan on every write... I was more intrigued by the developers' claim that no other anti-virus objected.

As to that massive difference between the number of unique signatures AVG and some other products detect... such as reported by virustotal... I'm a little suspicious of that too. No, we AVG users have not experienced the 'avalanche of intrusions' that would be implied by such a difference in numbers. Whenever I am called in to diagnose a weird problem I have done secure checkup scans with Malwarebytes and/or Kaspersky to see if anything major slipped through. Aside from some latent/whocares tracking stuff in browser cache, I haven't found anything major/active that AVG missed. Guess I lead a charmed life!

Re:AVG uses INSECURE connections too.

[TheRealHocusLocus]

Intelligent people removed avg years ago, when they turned to the dark side.

So when did this happen?

When someone could not fathom the difference between crapware-enhanced installation bundles from CNET/DOWNLOAD.com and direct download from AVG.com? When someone got the (socialist) idea that default installs of any free product should include full functionality with a promise to collect and use no information?
Clueless (socialist) whiners.

When antivirus vendors started offering, and 'free' users started demanding, per-DNS-lookup and per-click protection that is based on continuous queries to a blacklist database maintained by the company, and uses significant Internet resources --- as opposed to the occasional virus signature updates?
Clueless (socialist) whiners.

I'll even wager that the latest AVG Free privacy faux-scandal consists of... the company making (sanitized, anonymized) use of data already being transmitted by its Web TuneUp browser plugin which YOU, the furiously clicking web user, have volunteered to install because YOU like the idea of constantly hitting up your free antivirus company with your searches and browsing traffic. You INSIST that it is THEIR JOB to load up their cloud constantly to return to you answers to the question, "Is this URL safe? Is that URL safe?"
Clueless (socialist) whiners.

I have purchased their product in the past, but currently use just the 'free' with basic Computer protection in part as a canary for the individual users' computers I've installed it on. AVG Free (and the company) has not let me down. I graciously accept their virus signature updates. As a freeloader I do not believe it is right for me to slam them with browser click traffic because it is simply not necessary to do so, would waste my own resources and theirs when common sense whitelisting and blocking delivers acceptable security.

Re:AVG uses INSECURE connections too.

[DigiShaman]

Well my friend, times of changed. One thing I've learned about brand loyalty is that my loyalty changes when the underlying people that constitute the brand changes. So yes, AVG was great in the early mid 2000's, but now, succumbed to scummy tool-bar practices. Meanwhile, products such as ZoneAlarm, Lavasoft, and Spybot Search and Destroy have long been superseded by more advanced anti-malware products and advancements in newer Windows versions (7, 8 , Win10 etc).

Time is money. While yes, you aim to provide results, you're really selling time; however much time a client is willing pay to reach that goal. Some will do a flat-fee. I don't. OTOH, it's often not worth a client burning half the cost of upgrading/repairing a computer if it's more than five years old too. It's why I focus more on the aspects of consulting and data migration along with backup solutions vs just the machine itself. It's a tool. Tools change. But the business objectives and interests of people often don't change nearly as much as the underlaying platform.

Ok, that advice aside, if you're looking for a Free AV solution, try the FortiClient. It's ranked up there really high and does a pretty good job a blocking 'malvertisements' from what I understand. As for a first-line of defense, for residential users (not business due to terms of agreement), Norton ConnectSafe does a good job a stoping a lot of malvertisements too at the DNS level. OpenDNS does the same thing at the more granular level, but it also requires a subscription. This would be good for a SOHO or SMB. Above and beyond that, you're looking at using a Next-Generation Firewall (NGFW) for first-line of defense.

Idiocy

[RubberDogBone]

This updater may be broken and insecure, but why the hell would anyone trust an automatic updater to do stuff like BIOS or UEFI updates?

This is like trusting a child with a handgun to play with and being shocked when someone gets shot.

If there's an update like that, the user should be notified, and if so inclined, should go see if it's something they want to install at a time of their choosing. Perhaps first backing up your current BIOS or UEFI and perhaps doing a data backup too, just in case. Because, you know, updates like that have been known to brick systems. They really should not be done unless there is an actual problem that will actually be solved by the update. But generally, leave the damn thing alone especially if you don't know what you are doing.

And if you do that, then these other problems are solved because the ASUS app or whatever doesn't have authority to update. Just uninstall it. Solved.

Re:Idiocy

[TyIzaeL]

They really should not be done unless there is an actual problem that will actually be solved by the update.

Given that many UEFI updates patch security flaws, it's a good idea to keep up to date. BIOS had its issues, but UEFI offers a much larger attack surface.

Next Generation

[ThatsNotPudding]

This is why the Next Generation of Open Source *has* to be hardware.

It is insane how much trust we still place in component manufacturers / assemblers that can easily be lazy, incompetent, compromised by TLAs of every country, or all three.

Sophos Too

[TyIzaeL]

Sophos Antivirus's AutoUpdate feature flows over HTTP. This has been a known issue since 2013 and Sophos doesn't care.

How's that old model working out?

[raymorris]

I am familiar with the old model, used by most large corporations. How well has that been working?

I'm also familiar with what I've been DOING for the last 20 years, a model that is commonplace in certain sectors.

> you won't get anyone that's not completely useless to sign on for that. ...
> *I have no idea what your security expertise might be, but you clearly know jack about consulting.

If you haven't been paying attention to Slashdot comments over the years, you can use Google to check out my credentials. You CAN then call me and discuss a project. No, I won't fly out to California to discuss my services; telephones were invented a long time ago, we can have a discussion that way. No, I won't come in for an interview. If you've been referred to me, you can trust that referral or not. No, I won't be paid six months from now, I take Visa, Mastercard, Amex and Paypal, or a retainer check ahead of time. Yes, I will give you my full attention for 45 minutes, think over your project this evening, and email my suggestions tomorrow, for $250.

Re:How's that old model working out?

[Zaelath]

Ray Morris is a bit too common a name to Google.

I've done the SME model too, and it sucks, and they simply don't get hired by government/large corporations because their boards would crucify management if something went wrong.

Remember, you're talking about a company with revenue in the billions.

Re:Jojoba

[Coren22]

https://en.wikipedia.org/wiki/...

Jojoba oil Listeni/hhob/ is the liquid produced in the seed of the Simmondsia chinensis (Jojoba) plant, a shrub, which is native to southern Arizona, southern California, and northwestern Mexico.

Not sure what Wikipedia article you read, but I don't see anywhere in there a mention of goat nuts.