There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it’s unlocked and replace the legitimate image file with a malicious one.
In short, the adversary requires elevated access to replace a file on the EFI partition. In this case, you should consider the machine compromised with or without this flaw.
You weren’t hoping that Secure Boot saves your ass, were you?
Ah, so the next Air Bud movie will be what, Hack Bud?
“There’s nothing in the specifications that says that a dog can’t have admin access.”
“Nothing but 'net!”
Doesn’t this mean that secure boot would save your ass? If you verify that the boot files are signed (secure boot) then you can’t boot these modified files or am I missing something?
If it can execute in ram (as far as I understand, they’ve been talking about fileless attacks, so… Possible?), it can just inject whatever
Addit: also, sucure boot on most systems, well, sucks, unless you remove m$ keys and flash yours, at least. The thing is, they signed shim and whatever was the alternative chainable bootloader (mako or smth?) effectively rendering the whole thing useless; also there was a grub binary distributed as part of some kaspersky’s livecd-s with unlocked config, so, yet again, load whatever tf you want
Last time I enabled secure boot it was with a unified kernel image, there was nothing on the EFI partition that was unsigned.
Idk about the default shim setup but using dracut with uki, rolled keys and luks it’d be secure.
After this you’re protected from offline attacks only though, unless you sign the UKI on a different device any program with root could still sign the modified images itself but no one could do an Evil Maid Attack or similar.
The point with m$ keys was that you should delete them as they’re used to sign stuff that loads literally anything given your maid is insistent enough.
[note: it was mentioned in the arch wiki that sometimes removing m$ keys bricks some (which exactly wasn’t mentioned) devices]
Well, not an expert. We learned now that logos are not signed. I’m not sure the boot menu config file is not either. So on a typical linux setup you can inject a command there.
In many of these cases, however, it’s still possible to run a software tool freely available from the IBV or device vendor website that reflashes the firmware from the OS. To pass security checks, the tool installs the same cryptographically signed UEFI firmware already in use, with only the logo image, which doesn’t require a valid digital signature, changed.
When I went to trade school in 2010 for automotive repair our instructors told us this was going to happen. At the time, I thought they were just grumpy old men who didn’t like that cars were becoming more and more electronic. How wrong I was
Probably better than dying, high cholesterol is responsible for 7.1% of deaths in England alone. In 2022 that’s something like 40k deaths a year that could have been elimated.
I have an ebike, and I really want an electric scooter/bike once the range can be improved, currently they couldn’t get me to and from work (it’s a long commute)
Yeah, I get it. Private vehicles everywhere on the side of the street are an eyesore and take a ton of valuable public space. If at least e-scooters were as small as a car it wouldn’t be such a big deal to see them parked everywhere.
My biggest issue with scooters is that the sidewalks on most streets in North America are way too narrow to safely use them while others are walking, and we’re seriously lacking in dedicated bike lanes. Both of which are issues with the prioritization of car infrastructure over all else as opposed to problems with scooters themselves. Since scooters cannot safely run on the road but is still too fast for exclusively pedestrian paths. Where there are dedicated bike lanes in my city, scooters share them with bikes perfectly fine.
I feel like most roads where you’d ride a scooter the cars would be less of a problem if they followed the speed limit. Scooters should be able to go down 45mph roads just fine but there’s always some massive truck going 60.
Yeah, unfortunately speed limits don’t mean anything and studies show that drivers pretty much always drive as fast as they think they can regardless. The issue is that North America has stroads which are highly conducive to driving fast, damn near highway speeds. If we had the narrow, potentially tile or even cobblestone local streets that European and Asian cities have it would be less of a problem because those conditions directly promote lower speeds and more attentive driving.
I’ve heart NotJustBikes say similar things. I normally don’t favor control over everything but at this point I would be ok with cars having electronically controlled speed limiters to not exceed the speed limit of whatever road they’re on.
It’s really just created such an entitled, careless, and demanding mindset where bikes need to have speed limiters on them for safety but Fred can buy a 1200hp 3 ton weapon with no limiter.
It’s also not unheard of either. IIRC Japan had speed governors on their cars for a time, which limited them to their national highway speed of 100 km/h (which is still very fast to be fair).
I’m perfectly fine with there being interstates that go 85mph I just don’t want people driving so fast in dense areas with mixed traffic. If I could have people just not be assholes that would be great but I feel like driving the speed limit now is just reason for someone to get angry with you and want to drive you off the road.
I’d love to ride a bike everywhere I can but every road I would be riding would have traffic going over 45mph with massive vehicles who have drivers so impatient they’d rather run you off the road than share the road.
we need to infiltrate civil engineering standards boards and make protected bike lanes mandatory for all roads with 4 or more car lanes or speed limits over 25 mph. then they'll be the default everywhere because going against code will invite lawsuits
This is the kicker. They are a pretty good solution now, but they could be amazing.
At least in my country they need to hammer out a consistent set of rules and laws regarding their use. Last time I checked the vast majority of them are effectively illegal because under current laws they are too powerful to be considered an assisted pushbike, you cant register them as a roadgoing vehicle because they dont have indicators and brake lights and you cant ride them on the footpath because riding on the footpath is against the law.
Which puts them in that lovely legal space of “Does a cop want to fuck with me today?” Fortunately our police tend to be pretty cool on the subject because they know that technically taking it out of your house is illegal which is dumb.
arstechnica.com
Newest