Blog

“We may be banning TikTok,” President Trump told reporters, saying an announcement could come as soon as this weekend.

He added there were other options – but how might a ban work?

One obvious starting place would be to order Apple and Google to remove the app from their online stores.

This might be done by adding TikTok’s owner Bytedance to a Commerce Department entity list, and forbidding US firms from working with it – a similar tactic was used to stop Google providing its apps to Huawei.

That would prevent new users from being able to download the app.

Existing users would be prevented from receiving notifications and installing updates, although they would still have the app on their devices.

One way to address this would be to tell Apple and Google to use a “kill switch” facility they both have, which lets them remotely wipe or prevent blacklisted apps from launching.

A Brazilian judge once threatened to force the two firms to use the power in 2014, but ultimately backed off.

Apple and Google would likely be loathe to take control of users’ smartphones in such a way and might even resist such an order.

So an easier alternative might be to compel local internet service providers to block access to TikTok’s servers.

This would have the added advantage of preventing TikTok’s videos being viewable via its website.

India took such a measure when it banned TikTok and dozens of other Chinese apps. And users have reported being unable to circumvent the block by using a virtual private network (VPN).

But it’s not clear how Mr Trump would enforce such an order.

A less draconian approach would be to ban TikTok from being installed onto federal employees’ work phones.

Congress has already voted in favour of the idea and the Senate is still considering it. But that would be a much less dramatic move than Trump seems to be hinting at.

A further possibility is that the Committee on Foreign Investment in the United States (Cifus) – which is chaired by the US Treasury – rules against Bytedance’s takeover of the app Musical.ly, whose users were migrated over to TikTok in 2018.

Musical.ly was owned by another Chinese start-up.

But Cifus has the power to review takeovers that potentially pose a national security risk. And because Bytedance did not seek clearance for the acquisition at the time, the committee was able to launch a post-deal probe last year.

If Cifus rejects the takeover, it could order Bytedance to shut down the service in the US.

The question is whether a spun-off TikTok would be allowed to continue under different ownership as an alternative, perhaps even with a rebrand.

Microsoft is reportedly in talks to acquire the business – some internet wags have already suggested it might be called Microsoft Teens (a play on the the firm’s Teams service).

The US tech giant would presumably be viewed as a more trustworthy guardian of the data the app collects, and assuage fears the China might still be somehow accessing its logs.

When asked about the prospect of such a deal, Microsoft declined to comment.

What does TikTok say?

“One hundred million Americans come to TikTok for entertainment and connection.

“We’ve hired nearly 1,000 people to our US team this year alone, and are proud to be hiring another 10,000 employees.

“TikTok US user data is stored in the US, with strict controls on employee access. TikTok’s biggest investors come from the US.

“We are committed to protecting our users’ privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.”

TikTok Timeline

Image copyright
EPA

March 2012: Bytedance is established in China and launches Neihan Duanzi – an app to help Chinese users share memes

September 2016: Bytedance launches the short-form video app Douyin in China

August 2017: An international version of Douyin is launched under the brand TikTok in some parts of the world, but not the US at this time

November 2017: Bytedance buys lip-synch music app Musical.ly

May 2018: TikTok declared world’s most downloaded non-game iOS app over first three months of the year, by market research firm Sensor Tower

August 2018: Bytedance announces it is shutting down Musical.ly and is moving users over to TikTok

February 2019: TikTok fined in US over Musical.ly’s handling of under-13s’ data

October 2019: Facebook’s Mark Zuckerberg publicly criticises TikTok, accusing it of censoring protests

November 2019: Cifus opens national security investigation into TikTok

May 2020: TikTok hires Disney executive Kevin Meyer to become the division’s chief executive and chief operating officer of Bytedance

July 2020: US Secretary of State Mike Pompeo, and then President Trump, say TikTok may be banned

Garmin on Monday confirmed that many of its online services have been disrupted by a cyberattack on its systems that occurred on July 23, 2020.

Services disrupted by the attack, which encrypted data on the systems, included website functions, customer support, customer facing applications, and company communications, the company noted in a statement.

“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen,” the company stated. “Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Garmin specializes in GPS technology development of navigation and communications products. It serves the auto, aviation, fitness, marine, and outdoor markets.

The company estimated that operations would be back to normal “in a few days.” Garmin cautioned, however, that as systems are restored, there may be delays as backlogged information is processed.

No material impact is expected on operations or financial results due the outage, the company added.

Garmin’s damage assessment may be overly optimistic, though. “If the average data breach costs the victim [U.S.] $8.9 million, then in this case, it’s probably more than that,” asserted Chlo Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry in Baltimore, Md.

“With WastedLocker, the attack also cripples the network and getting it up and running again becomes extremely expensive,” she told TechNewsWorld. WastedLocker is the ransomware believed to be used in the Garmin attack.

Customized Payload

The sortie on Garmin has the characteristics of a typical ransomware attack.

“The usual ransomware tactic by cybercriminals is to gain initial access to an organization, perform privilege escalation attacks to gain administrator access to the entire environment, find and delete backups if possible, then run their ransomware to encrypt as many computers as possible,” explained Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“Without confirmation, it’s impossible to say if the attackers here were able to locate and delete Garmin’s backups, but the resulting multi-day outage demonstrates that even with a highly secure backup strategy, ransomware attacks can be massively disruptive to victims,” he told TechNewsWorld.

While common tactics were used by the attackers, their software appears to be customized for Garmin. “The ransomware payloads are customized per each individual client, so Garmin ransomware extensions were ‘garminwasted,’” explained Tom Pace, vice president for global enterprise solutions at BlackBerry.

“They are also selective in the assets they tend to target within victim environments to maximize damage and probability of a client making the ransom payment,” he told TechNewsWorld.

Although there have been a few high-visibility ransomware attacks, most of them are kept on the Q.T. That wasn’t the case with the Garmin intrusion. “The most notable distinguishing feature of this attack is how visible it is to the outside world,” observed Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.

“Garmin provides numerous services related to their devices and mapping software, and this attack had a substantial impact on those services, which is why people worldwide have taken notice,” Nayyar told TechNewsWorld.

Russian Connection

Reports on the ransomware attack have linked it to Russian hackers, primarily because of the malicious software used in the intrusion.

“Attribution is always a tricky issue, but in the case of WastedLocker, the ransomware actually signs itself as WastedLocker,” explained Ben Dynkin,
co-founder and CEO of Atlas Cyber Security, a provider of cybersecurity services in Great Neck, N.Y.

“While third parties can deploy this ransomware variant, it is a very reasonable assumption to attribute the activity to the Evil Corp cybercriminal syndicate,” he told TechNewsWorld. “The U.S. Treasury Department has clearly and unambiguously attributed the conduct of Evil Corp to Russian nationals in other operations.”

“We cannot make a definitive attribution that this is state sanctioned activity — even though there is some evidence that Russian military officials are involved with Evil Corp.,” he continued. “That means we can attribute this activity to Russian criminals, but not the Russian state.”

Garmin would be a typical target for Evil Corp, added Point3’s Messdaghi. “We haven’t seen any indications that Evil Corp has attacked small businesses or individuals,” she said. “They’re going after corporations with the wherewithal and motivation to pay to prevent business losses.”

$10 Million Ransom

It’s also been reported that the ransomware raiders have asked for $10 million to undo what they’ve done to Garmin’s system. So far, Garmin has been mum on making any ransom payments.

“It’s never recommended that companies pay extortion demands to cybercriminals, if at all possible,” Cerberus Sentinel’s Clements said. “Extortion payments both strengthen the cybercriminal operations responsible and encourage other organizations to attempt the same attacks.”

He acknowledged, however, that victims have little recourse but to pay the demands. “A common tactic employed by ransomware gangs is to find and delete any backups before running their encryption,” he explained. “This leaves the victim with the choice of paying the ransom or having to rebuild their environment and data from scratch.”

“In the best case of this scenario, rebuilding from scratch can takes months to complete and cost many times more than the ransom payment demand,” he continued. “In the worse cases, mission critical data that is encrypted can’t be restored and the only option for recovery is paying the extortion demands.”

However, paying off Evil Corp is more complicated than paying off the typical online extortionist. “Back in December 2019, the U.S. Treasury department delivered sanctions against the Evil Corp cybercriminal organization,” explained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“As part of those sanctions, no U.S. organizations are allowed to conduct transactions with the group,” he told TechNewsWorld. “Even if Garmin wanted to pay the ransom, they would have to collaborate with the U.S. Treasury, FBI, and other government agencies to send the funds.”

Those government agencies, though, may come under pressure to turn a blind eye to any sanction violations should Garmin not get all its systems online without the cooperation of Evil Corp.

“The problem is Garmin controls and maintains significant critical infrastructure and services used by pilots and others, perhaps even by the U.S. and other militaries,” BlackBerry’s Pace explained.

“If they can’t recover the data on their own and it will have a significant bearing on national security or critical infrastructure, the proverbial rock and a hard place dilemma would seem to present itself.”

---

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.

Amazon’s Alexa mobile app has a new look.

The company on Monday introduced an updated version of the app that aims to give users a more personalized experience and moves all third-party “skill” suggestions off the main screen.

The app is being rolled out this month for iOS, Android and Fire devices, and should reach all users by the end of August.

At the top of the new main screen is a large, blue Alexa button with a reminder that tapping the button or saying “Alexa” will get the digital assistant revved up.

Below the blue button is a series of items based on an individual’s past use of the program, intended to make it easier for a user to pick up where they left off when they last used the app.

The app is more friendly to first-time users, making suggestions about what they can do with Alexa mobile.

“What they’re trying to do with the new design is help new users, users who may not have the competency of more tech savvy users,” said Mark N. Vena, a senior analyst with Moor Insights & Strategy.

“They see an opportunity to enhance their app and make it more usable and intuitive,” he told TechNewsWorld.

Eye on Newbies

Vena explained that the older Alexa mobile app could be confusing, especially when using it to control multiple smart home devices simultaneously, an affliction that isn’t limited to the Alexa app.

“At retail, the smart home category has exploded, but it is also the number one product at retail that gets returned,” he said. “They have a return rate of 20 to 25 percent, not because they don’t work, but because people can’t figure out how to use them.”

Amazon seems to have an eye on the future of the smart speaker market with the redesign of the Alexa mobile app.

“As smart speaker adoption continues to grow, the user base has begun to tilt more towards a less technically adept consumer who is less likely to use the app to create reminders and routines and download new skills and voice apps,” observed Kristen Hanich, an analyst with Parks Associates.

“The new app design will better support the actions users take when opening and using their Alexa app,” she told TechNewsWorld. This means allowing users to more easily control their music and allowing users to pick up what they left off doing on their smart speaker or display.”

“De-emphasizing the third-party skills helps Amazon create more real-estate in their app for personalization,” she added.

Redesign Overdue

Personalization is critical for an app like Alexa mobile, maintained Rob Enderle, president and principal analyst at the Enderle Group.

“They should learn who you are, what you want, and to deal with the nuances in your speech,” he told TechNewsWorld. “Once they learn how to deal with you as a person, you should have much better experience with the app and be more willing to use it.”

He said that the redesign makes the app less of a voice front-end for Google and more like what it was originally marketed as — a digital assistant.

He noted that a facelift for Alexa mobile is long overdue, but added, “Interest in these kinds of apps have dropped off in general, mostly because people got frustrated with how they work.”

One of the problems Alexa mobile has faced is its device position, something Apple and Google don’t have to sweat about because they control the operating systems on most smart phones. “That’s something Amazon is looking for this update to address,” said Jonathan Collins, a research director at ABI Research.

A mobile app, though, may have less value in the Alexa universe than it would have in some other ecosystems. “Alexa’s primary strength has been in the smart home with dedicated devices,” Collins told TechNewsWorld. “With an Alexa home environment, much of the functionality offered by handset integration is less useful.”

Nevertheless, the app can still be a key component for the Alexa ecosystem.

“The smartphone is not the central point of interaction for a lot of Alexa commands, but with Alexa, we interact with a lot of services that have a smart phone component,” said Ross Rubin, the principal analyst Reticle Research.

“So in many ways, this app remake is more about the bridge to those services,” he told TechNewsWorld.

Voice Apps Relegated

Under the redesign, the app’s advanced features — Reminders, Routines, Skills and Settings — have been moved under a “more” button on the home screen. In addition, third-party voice apps have also banished from the main screen.

“Discoverability remains a problem for a lot of these voice apps,” Parks’ Hanich said. “It’s difficult to find what you’re looking for unless you go digging through the Alexa app.”

Quality is another issue with the apps. ” The issue is similar to what the smartphone app stores experienced early on,” Hanich explained. “They were originally flooded with low quality experimental designs that didn’t provide value to consumers.”

“Many were never updated after being released,” she explained. “While there are quite a few high quality voice apps available, there’s still a very large number of low quality apps in the Alexa Skills Store.”

Rubin noted that for years both Amazon and Google have been touting the number of skills you can activate via their agents, but it’s been very difficult to drive usage of those skills.

“It’s tough to remember them,” he said. “It’s tough to find them. So in this new interface, those things have been emphasized a lot less.”

“Amazon is focusing on a core number of things that people most often use Alexa for because the promise of voice control is convenience, but it’s difficult to make it scale over a wide array of functions that may not be top-of-mind for users,” he added.

Lack of Promotion

Enderle noted that Amazon hasn’t exactly set up the skill apps for success.

“No one is really marketing this stuff anymore,” he noted. “To change behavior, you have to keep reminding people that these alternatives are in place, otherwise they don’t use them, and if they don’t use them,, then what’s the point in continuing to develop them?”

“If you’re not promoting the apps and you’re going to make it harder for people to get to them, that’s not a formula for success,” added Enderle.

As the smart home market grows, distinctions between digital assistants will become fuzzier.

“Digital assistants are blending into the background, becoming less identified with a category of product — like the smart speaker — as they were at the beginning,” Rubin explained.

“That’s only going to accelerate because Apple, Google and Amazon are working toward a home automation standard that will allow more interoperability among their ecosystems,” he continued.

“They need to do that because that’s the best way to incentivize builders to put the technology into new construction,” he said. “You can’t build a house assuming someone is an iPhone user or Alexa user or a Google user.”

---

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.

Image copyright
EPA

President Donald Trump has announced he is banning the Chinese-owned video-sharing app TikTok in the US.

He told reporters he could sign an executive order as early as Saturday.

US security officials have expressed concern that the app, owned by Chinese firm ByteDance, could be used to collect the personal data of Americans.

The fast-growing app has up to 80 million active monthly users in America and the ban would be a major blow for ByteDance.

Media playback is unsupported on your device

“As far as TikTok is concerned, we’re banning them from the United States,” Mr Trump told reporters aboard Air Force One.

TikTok spokesperson Hilary McQuaide declined to comment on the move but said the company was “confident in the long-term success of TikTok”, the Washington Post reports.

If you are a Windows or Linux user, brace yourself for a long siege of vulnerability nightmares. The fix will be long and treacherous and could brick your computers.

Eclypsium researchers Wednesday released details of a set of newly discovered vulnerabilities dubbed “BootHole” that opens up billions of Windows and Linux devices to attacks.

This is a serious vulnerability with a Common Vulnerability Scoring System (CVSS) rating of 8.2. The highest assigned rating on this severity scale is 10.

The BootHole vulnerability in the GRUB2 bootloader opens up Windows and Linux devices using Secure Boot to attack. To mitigate the attack surface, all operating systems using GRUB2 with Secure Boot must release new installers and bootloaders, the researchers warned.

Attackers exploiting this vulnerability could gain near-total control of the compromised device. The majority of laptops, desktops, servers, and workstations are affected, as well as network appliances and other special-purpose equipment used in industrial, healthcare, financial, and other industries, according to the report.

Researchers warned that mitigating this vulnerability will require the specific vulnerable program to be signed and deployed. They also advised that vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack.

Plugging this vulnerability hole will likely be a long process. It will take considerable time for IT departments within organizations to complete patching, the researchers said.

Eclypsium has coordinated the responsible disclosure of this vulnerability with a wide variety of industry entities, including OS vendors, computer manufacturers, and the Computer Emergency Response Team (CERT). A number of these organizations are listed in the report and were part of Wednesday’s coordinated disclosure.

“This is probably the most widespread and severe vulnerability that we have found at Eclypsium. Many of the issues we found in the past were specific to a given vendor or model, whereas this issue is pervasive. This vulnerability in Secure Boot affects the default configuration of most systems deployed in the past decade, Jesse Michael, principal researcher for Eclypsium, told TechNewsWorld.

This vulnerability was assigned CVE-2020-10713 GRUB2.

Finding and Patching Holes in the Boot

The Eclypsium researchers stumbled on the trail of BootHole vulnerabilities somewhat by accident while doing some routinely proactive exploring, according to Michael.

“We were exploring any weak links in the whole secure boot infrastructure. Since we had previously seen a similar issue
with Secure Boot and the Kaspersky boot loader, we thought we should take a deeper look at that area. We did some fuzzing on GRUB2, which is widely used by most Linux distributions, and found a vulnerability that turned out to be much larger than we expected,” he said.

Fuzzing, or fuzz testing, is an automated software testing technique to find hackable software bugs. Testers randomly provide different permutations of data into a target program until one of those permutations reveals a vulnerability.

Researchers have yet to see bad guys exploiting this specific vulnerability in the wild, he noted. But threat actors have been using malicious Unified Extensible Firmware Interface (UEFI) bootloaders.

“This sort of attack has been used by malware, including wipers and ransomware, for a long time, and Secure Boot was designed to protect against this technique. The BootHole vulnerability makes most devices susceptible even when Secure Boot is enabled. Previous threat actors used malware tampering with legacy OS bootloaders including APT41 Rockboot, LockBit, FIN1 Nemesis, MBR-ONI, Petya/NotPetya, and Rovnix,” Michael noted.

What BootHole Does

Attackers can leverage the GRUB2 bootloader that most Linux systems and Windows computers use to gain arbitrary code execution during the boot process. This can happen even when Secure Boot is enabled. Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device, according to Eclypsium’s report.

What makes this BootHole vulnerability even more threatening is its ability to affect systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable. This means that nearly every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels, and hypervisors such as Xen.

This problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third-Party UEFI Certificate Authority. Thus, BootHole affects the majority of laptops, desktops, servers, and workstations. The vulnerability also threatens network appliances and other special purpose equipment used in industrial, healthcare, financial, and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders, noted researchers at Eclypsium.

If the Secure Boot process is compromised, attackers can control how the operating system is loaded and subvert all higher-layer security controls. Recent research identified ransomware in the wild using malicious EFI bootloaders as a way to take control of machines at the time of boot. Previously threat actors used malware tampering with legacy OS bootloaders including APT41 Rockboot, LockBit, FIN1 Nemesis, MBR-ONI, Petya/NotPetya, and Rovnix, noted the report.

Circular Firing Squad

Attackers can also use a vulnerable bootloader against the system, the report writers added. For example, if BootHole finds a valid bootloader with a vulnerability, it can replace a piece of malware in the device’s existing bootloader with the vulnerable version.

The bootloader would be allowed by Secure Boot and give the malware complete control over the system and the operating system itself. Mitigating this requires very active management of the dbx database used to identify malicious or vulnerable code.

---

---

Additionally, trying to fix the vulnerabilities that BootHole seeks can be potentially deadly to the hardware and software. Updates and fixes to the Secure Boot process can be particularly complex. The complexity poses the additional risk of inadvertently breaking machines.

The boot process by nature involves a variety of players and components including device OEMs, operating system vendors, and administrators. The boot process’s fundamental nature makes any sort of problems along the way poses a high risk of rendering a device unusable. As a result, updates to Secure Boot are typically slow and require extensive industry testing.

Buffer Contributor

The BootHole vulnerability is a buffer overflow that occurs in GRUB2 when parsing the grub configuration file, according to Eclypsium’s researchers. The GRUB2 configuration file (grub.cfg) is merely a text file. It is typically not signed like other files and executable code.

This vulnerability enables arbitrary code execution within GRUB2 and ultimately control over the booting of the operating system. As a result, an attacker could modify the contents of the GRUB2 configuration file to ensure that attack code is run before the operating system is loaded. In this way, attackers gain persistence on the device, according to the report.

To pull off such an intrusion, the attacker would need elevated privileges. But it would provide the attacker with a powerful additional escalation of privilege and persistence on the device. This would occur with or without Secure Boot enabled and properly performing signature verification on all loaded executables.

Challenging Mitigation Effort

Eclypsium warned that plugging BootHole will require the release of new installers and bootloaders for all versions of Linux and potentially Windows. Vendors will have to release new versions of their bootloader shims signed by the Microsoft Third-Party UEFI CA.

Until all affected versions are added to the dbx revocation list, an attacker would be able to use a vulnerable version of shim and GRUB2 to attack the system. This means that every device that trusts the Microsoft Third-Party UEFI CA will be vulnerable for that period of time.

---

---

This configuration file is an external file commonly located in the EFI System Partition and can therefore be modified by an attacker with administrator privileges without altering the integrity of the signed vendor shim and GRUB2 bootloader executables.

The buffer overflow allows the attacker to gain arbitrary code execution within the UEFI execution environment, which could be used to run malware, alter the boot process, directly patch the OS kernel, or execute any number of other malicious actions.

This vulnerability is not architecture specific. It is in a common code path and was also confirmed using a signed ARM64 version of GRUB2.

Canonical’s security team found additional vulnerabilities related to the GRUB2 code in response to the Eclypsium report, the Eclypsium report noted. That will further impact on the mitigation path.

“Those vulnerabilities discovered by the Canonical security team were all of medium severity. There were also dozens of further vulnerabilities identified by other organizations that do not yet have individual CVEs assigned, said Michael.

What’s Needed to Fix

Full mitigation will require coordinated efforts from affected open-source projects, Microsoft, and the owners of affected systems, among others. The list of tasks to fix BootHole, according to the report, will include:

• Updates to GRUB2 to address the vulnerability.
• Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims.
• New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
• Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media.
• Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.

More Bugaboos Possible

Full deployment of this revocation process to enterprises will likely be very slow, researchers suggested. UEFI-related updates have a history of making devices unusable. So, vendors will need to be very cautious to prevent the fix from turning computers into bricks.

For example, if the revocation list (dbx) is updated, the system will not load. So vendors will have to apply revocation list updates over time to prevent breaking systems that have yet to be updated.

Also, cases exist where updating the dbx can be difficult. The edge conditions involve computers with dual-boot or deprovisioned setups.

Other circumstances can further complicate matters. For instance, enterprise disaster recovery processes can run into issues where approved recovery media no longer boots on a system if dbx updates have been applied.

Another situation is when a device swap is needed due to failing hardware. New systems of the same model may have already had dbx updates applied and will fail when attempting to boot previously-installed operating systems. So before dbx updates are pushed out to enterprise fleet systems, recovery and installation media must be updated and verified as well.

Few Workarounds

With the report’s dire warnings about boot fixes bricking hardware, few potential workarounds exist to prevent the cure being worse than the attack results. Michael expects attacks will occur that take advantage of this, if they haven’t already.

“If left without action or mitigation, this will leave a gaping hole on all affected systems,” he said. “There could be unexpected consequences to the cure as well.”

Revocation updates are not common, and this is going to be the largest revocation ever done. Bugs in this rarely used part of firmware, could cause systems to behave unexpectedly after the update. In order to avoid such issues, the revocation will not happen automatically.
“This forces security teams to carefully manage this issue using manual intervention,” cautioned Michael.

Workarounds may need to be tweaked by various vendors to be effective for their products. Bootloader vulnerabilities have been found in the past that vendors successfully patched, according to Charles King, principal analyst at Pund-IT.

For example, one was revealed in March that affected LG phones, and in June the company announced
that it had issued a patch for phones going back seven years.

What’s Worse: Meltdown and Spectre or BootHole?

The Meltdown and Spectre vulnerabilities of 2019 impacted confidentiality. They allow an attacker to steal secrets.

This vulnerability impacts integrity and availability, as well as confidentiality. Therefore, BootHole has the potential for much broader damage, according to Michael.

Using the industry-standard CVSS severity score, Meltdown and Spectre were classified as Medium severity vulnerabilities, and BootHole is rated as a High severity vulnerability, he said.

While the BootHole vulnerability occurs in software (system firmware), Meltdown and Spectre exploited hardware flaws that were baked into many CPUs. A major challenge with Meltdown and Spectre has been that fixes often significantly impact CPU performance, noted King.

“It seems unlikely that BootHole fixes will similarly impact system or device performance,” he told TechNewsWorld.

As to which vulnerability is more dangerous is relative. Just because a vulnerability exists does not mean that people will find a way to effectively exploit it. Though Meltdown and Spectre attracted a great deal of attention when they were revealed several years ago, he has not seen any reports of successful exploits, King said.

What to Do

Most users will want to deploy the updates that vendors are coming out with beginning on July 29, Michael suggested. In addition to the automatic updates released by OS vendors, manual action will be needed to revoke the old, vulnerable versions of grub.

“Until this is done, systems will remain vulnerable,” he warned.

Enterprise security teams should also consider threat hunting or monitoring activities that look at the bootloaders present on operational systems, suggested Michael. This should reveal which systems have suspicious-looking bootloaders and grub configuration files.

“Considering the complexity of deploying these updates to an enterprise, such monitoring may be an important workaround to buy time while updates are tested and deployed,” Michael concluded.

The Eclypsium report is available here.

---

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.