Malware Installed in Asus Computers through Hacked Update Process

Kaspersky Labs is reporting on a new supply chain attack they call "Shadowhammer."

In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.

[...]

The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters' MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: "ASUSTeK Computer Inc."). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.

The sophistication of the attack leads to the speculation that a nation-state -- and one of the cyber powers -- is responsible.

As I have previously written, supply chain security is "an incredibly complex problem." These attacks co-opt the very mechanisms we need to trust for our security. And the international nature of our industry results in an array of vulnerabilities that are very hard to secure.

Kim Zetter has a really good article on this. Check if your computer is infected here, or use this diagnostic tool from Asus.

Another news article.

Posted on March 28, 2019 at 6:42 AM • 35 Comments

Comments

JonKnowsNothingMarch 28, 2019 9:24 AM

There are at least 2 groups interested in grabbing access to products going into mass market

1. Security Services - These are unstoppable. See NSA repacking a Cisco Router.

2. Other folks for a lot of reasons - Money, Trolling, Notoriety and Pawnage. See Lion King CD Distro when original CDs contained XXX content inserted during the CD Stamping Process.

Attacking supply systems is a long standing military objective. It's a very refined attack system and JIT made it super easy to do.

Trying to explain to people that just because it says XXX or the LED is green or it is in shrink wrap does not mean it really is XXX or the system is not failing or it's not been rewrapped, this doesn't seem to connect the dots for them.

While this concerns technology attacks, the same goes for consumer goods and foods. Faked Virgin Olive Oil, prohibited products in foods, mislabeled items, rewrapped meats. It's old hat and well known.

For every bar we place to prevent redirection, it is only as good as the implementation. The system that permits an Updater to update malware or badware or crapware is useful for Group 1. They do it regularly. They are not going to allow the necessary changes. Or at least not until a whole lot of folks refuse Dragonfly work projects and the companies that profit from them.

1&1~=UmmMarch 28, 2019 10:44 AM

This is a point that neads further investigation / explanation,

"'The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: "ASUSTeK Computer Inc.").'"

The use was most unlikely to have been 'legitimate' which implies one of three things,

1, Private Key was stolen.
2, Private Key was remade.
3, Some form of collision was found.

Whilst nearly anybody can do the first because the technical skills are well known and fairly easily aquired, the last two are potentially restricted to just a handfull or two at the most of organisations in the world.

Of those you are looking at the SigInt agencies with not just the brains but also the computing resources to carry them out.

Also this is in many ways an apparent replay of stuxnet, with very few actual targets in it's scope (which also would have helped keep it covert).

It would be interesting to see the 600 numbers and use a service like Shodan etc to track them down to networks thus potentialy identify the targets. Then work backwards to identify the attackers.

1&1~=UmmMarch 28, 2019 11:01 AM

@ALL:

Just one thing to remember MAC addresses are not always easy to get or associate with an individual.

One good way to do it is when the person crosses a boarder and the laptop is turned on to see it's not a bomb etc...

Thus a small bet is all the targets have traveled to only one or two countries collectively.

But for others, for goodness sake do not take your main laptop phone etc abroad with you, it's an APT risk to far for any sensible person to do these days.

It is a certain bet that at a number of boarders all your electronics are enumerated in many ways and they are all then stored away against the Identity in your travel documents along with your picture, finger print etc and no doubt in some cases your DNA and other fingerprints from the VIP / frequent flier lounge etc.

Yes it might sound a little paranoid today, but think of your tommorows. We've been through the same with 'collect it all' where you were paranoid before Ed Snowden and had good insight or insider knowledge afterwards. Be very clear they are out to get us all because like those collecting PII for advertising the information has value. Yours might be worthless today but will it always be? Likewise the person standing next to you in the airport que their DNA etc might be of value beyond price, thus overall the average cost of collecting everybodies DNA fingerprints and images is easily worth the minor price per individual, and it will only get less costly with time.

nobody interestingMarch 28, 2019 12:14 PM

A couple of things I've seen missing from most reporting on this:

1) Asus needs to revoke those certs (Zetter at least mentioned this), and rethink how it protects them in future, if they're serious. Everything else is just window dressing if they don't get that part right; and

2) Has anyone wondered whether Asus was complicit?

JackMarch 28, 2019 1:36 PM

Mueller must reopen the Donald Putin investigation ASAP.
Only a russian spy in the White Kremlin House could pull this off.

1&1~=UmmMarch 28, 2019 1:38 PM

One of the reasons this happened and for so long is that the current code signing peocess is broken.

A search of this blog shows that the failings of code signing has been mentioned for a decade or more, and two names saying it's not a good idea and why show up regularly, @Nick P and @Clive Robinson.

So to add to those comments,

In this case the failure is the "Upload and forget" behaviour of the organisation concerned. That is they can not have had a policy of actually checking the files after they were uploaded to ensure they had not been changed at any point in time in a timely manner.

After the warning of stuxnet not doing this sort of checking realy is negligent behaviour.

There are several fairly easy ways such 'image checking' can be done, but it would be wise these days to do a byte by byte comparison and not rely on hashes, as the likes of the NSA and GCHQ might have broken them.

In essence a copy of the files in genuine Read Only Format needs to be put on an effectively hidden computer. It either pulls the files on the public server down to check them every half hour or so. Or it's a little more sophisticated and checks the files 'off the wire' as users download them. Either way the malware substitute would have been caught very very quickly.

Whilst that will not solve the other issues identified and put up on this blog in the past, it will block this particular attack in future.

However it needs to be said that their have been other attacks developed by the GCHQ and the NSA that could achive the same result. That is the 'get in quick' attack where the first TCP packet that arives at the destination machine is accepted. Thus if the SigInt agencies can have the files distributed around the net they can get their malware loded packets to a users computer first.

As easy as this sounds, it's actually going to be quite hard to implement with COST systems. But that does not in any way suggest they do not have the capabilities to do it.

TatütataMarch 28, 2019 3:42 PM

The malware had 600 unique MAC addresses it was seeking

If the malware looks for specific machine, characterised by a MAC for each adapter (Ethernet and a WiFi), then only 300 machines are really concerned.

How did the attacker select the MAC addresses? By running malware on the ASUS update server, and finding out who came to the watering hole that met the criteria? I found no mention of the common denominator linking the machines. A country? A company? Did AG Barr bowdlerize the report? [SNCR] A fuller picture might help Kaspersky reestablish its reputation.

Buried in those malicious samples were hard-coded MD5 hash values that turned out to be unique MAC addresses for network adapter cards.

OK, now we know that the malware was written by a 100€ rent-a-coder. :-)

What's not clear to me what exactly needs to be updated directly by ASUS. The machines would usually call home to Redmond for OS updating, but a BIOS upgrade would normally be initiated manually by the user. Stuff like video drivers would be delivered over the Microsoft channel, and not the OEM, isn't it?

Steve FriedlMarch 28, 2019 3:59 PM

The thing that concerns me is:

Kamluk said Kaspersky notified ASUS of the problem on January 31, and a Kaspersky employee met with ASUS in person on February 14. But he said the company has been largely unresponsive since then and has not notified ASUS customers about the issue.

Hey, I get that it's hard to get this stuff right, and an oopsie can happen, but the real test is whether a company does the right thing once the oopsie is pointed out or not.

Going dark, pretending it didn't happen, and volunteering to suck don't make me want to do business with a company.

SamMarch 28, 2019 4:08 PM

@nobody: Good question. Apparently the malware was based on a modified version of a several-year-old legimate ASUS file, pointing towards attackers who were able to compromise Asus's signing and distribution infrastructure but not their code building/deploying infrastructure. Had Asus (or individuals within it) been complicit, they likely (but who really knows) would have injected the malware as a software build dependency, not post-build at the signing stage.

John BrownMarch 28, 2019 4:09 PM

I'm really interested in who was the target here.

It's not like Asus are Lenovo, or even Dell or HP.

Would any serious organization actually buy Asus laptops?

John BrownMarch 28, 2019 4:13 PM

Ohhhh.. question answered. I didn't realize Asus were Taiwanese. This is obviously some sort of Red Chinese operation against the Taiwanese, who might buy Asus hardware even for serious use for purely patriotic reasons.

Nothing wrong with that, but hope they require the company to fix their security issues in future.

POLARMarch 28, 2019 5:48 PM

Mixed thoughts:
1- If some state agency wants to know more about 600 MAC addresses this is none of our business and anyway if they really want them nothing can prevent it. And, if they're doing their homework properly(and why are we doubting it?) then it is a good thing that those MACs are taken care of.
2- Have the MACs been published? Are they single MACs or across a range?
3- Certificates give a false sense of security
4- From an entrepreneur POV, I like spies to spy. It's their job. If they are doing their job, well that is great.

65535March 28, 2019 10:51 PM

@ legal experts

Points to the ccleaner malware, the shadowpad malware and now Azus Shadow hammer malware and to court document where Microsoft is suing Barium a player in the malware game. Kaspersky hints that the true identify of one individual have been revealed in that court document.

Can some legal person find who is actually named in the case which venue is the Virginia Fort Mead area.

SecureList https://securelist.com/operation-shadowhammer/89992/
=> Microsoft court document =>

https://www.courthousenews.com/wp-content/uploads/2017/11/barium.pdf

Can anybody identify the barium guy?

1&1~=UmmMarch 28, 2019 11:14 PM

@65535:

"Can some legal person find who is actually named in the case which venue is the Virginia Fort Mead area."

Fort Mead area... Now who do we normally assosiate with that geography ;-)

They do say 'acorns don't fall far from the tree'...

This might start a rumour or ten 0:)

1&1~=UmmMarch 29, 2019 12:17 AM

@65535:

The Microsoft court submission is well worth reading as it actually gives a nice description of how the Barium persons go about their activities.

Interestingly is the use of a 'headless C&C' technique (see paragraph 29 onwards) using blogs etc that was first publicaly described in almost exactly the same way on this blog some years ago now. So one or more of the Barium individuals might well be readers of this blog.

In which case 'Hi guys, how are your collars feeling a little hot and tight?'

Microsoft appear to believe that the targets for their activities are mainly in the Virginia area. Also one of the code break downs of the malware indicates that if the language on the computer is either Russian or Chinese it stops dead at that simple first check.

But Microsoft either don't know the warm body names of the two people they think they have found behind Barium or they are being a little cautious.

That said in other unrelated cases Brian Krebs has not just found warm bodies on less info in the past, he's actually found their real phone numbers and called them, so it's likely these Barium guys are as tracable with a little bit of investigation. That is unless their OpSec has been better than professional.

Anyway it's 'turning in time' the brain is getting tired I'll have a further look over things when I get up to greet the cold light of day ;-)

RobertMarch 29, 2019 4:01 AM

@1&1 wrote, "But for others, for goodness sake do not take your main laptop phone etc abroad with you, it's an APT risk to far for any sensible person to do these days."

Are you not mistaken thanks to Prez. Obama all Americans were already mandated to disclose personal data to foreign governments. A couple MAC numbers shy in comparison.

Petre Peter March 29, 2019 7:09 AM

What could i possibly do with a version of Live Update besides installing it.

wumpusMarch 29, 2019 9:06 AM

@1&1~=Umm

1, Private Key was stolen.
2, Private Key was remade.
3, Some form of collision was found.
****
4, Social engineering was used to convince a third party that the attacker's public key was legitimate.

The fourth option is trivial for many intelligence agencies, especially when the third party has to deal with their jurisdiction. However, Kevin Mitnick has convincingly shown that this attack can often be pulled off by a single talented individual.

There's a whole long chain of trust here, and plenty of them are pretty weak. Don't assume that a collision was made when rubber hose cryptography would work much easier (or more likely social engineering).

1&1~=UmmMarch 29, 2019 11:02 AM

@wumpus:

"There's a whole long chain of trust here, and plenty of them are pretty weak. Don't assume that a collision was made when rubber hose cryptography would work much easier (or more likely social engineering)."

In the general case I'd agree with you.

But in this case some are claiming a million users were effected all over the globe, I can not see how they were socialy engineered in this case.

However yes people at the development end could have been hoodwinked or coerced in various ways to hand over either the private key or access to it. But I kind of see that as 'part and parcel' of the trade of theft / stealing. Frequently insiders are turned by blackmail or having members of their family threatened in various ways, along with 'doing a friend a favour' or being 'given a drink'.

The smarter criminals learned long ago --unlike many others-- that as a method of obtaining information, goods, or services, physical tourture of an individual was not as successfull and far riskier than threatening to do it to somebodies loved one. That is you make the individuals mind turn on themselves through their imagination. Essentially it's how the protection racket works, actually hurting people is reserved for those who either lack imagination or for some reason don't care and of these about one in six are likely to repay the favor ten or twenty fold which is one of the ways in which we end up with street gang warfare and injured bystanders. Which is bad for business which is why the smarter criminals tend to be more wary of using violence than others, and when they do, they tend not to leave those who might seek revenge behind. Which is why there are actually gangland 'hit men' / 'mechanics' actively employed, the less smart of whom tend to get caught. As has been pointed out killing people is easy but stupid unless you have meticulously pland how to stop enquires by the authorities or those left behind being made.

Similar issues arise with recruiting and using insiders as the Greek Phone Tapping scandle made clear.

Peter GerdesMarch 29, 2019 12:50 PM

I wonder if it might be desirable to establish a number of trusted platforms for hosting the hashes of software updates so that software update tools can download the hash from a number of platforms and ensure they all agree as well as agreeing with the actual update.

This would substantially reduce the risk of undetected software update attacks since it would force the malicious code to be contained in all versions of the update increasing the chances that security researchers would discover it.

Denton ScratchMarch 30, 2019 8:26 AM

@Tatutata (give or take an umlaut)

"How did the attacker select the MAC addresses? By running malware on the ASUS update server, and finding out who came to the watering hole that met the criteria?"

No.

MAC addresses don't generally propagate over IP; the Asus update server doesn't see the visitor's MAC address.

Broadly speaking, you need to have hands on the machine whose MAC address you want, or be able to connect to it over ethernet (MAC addresses are used exclusively in the ethernet protocol). At risk of pointing out the obvious, ethernet is a LAN protocol. So you can't just hoover up the MAC addresses of all those visiting your website.

So whoever targeted those MACs had either laid hands on the corresponding PCs (e.g. border agents); or they had local access to the PC in question (perhaps via some kind of trojan or 'implant'); or they had local (or equivalent) access to another machine on the same LAN (perhaps by infiltrating that LAN).

Denton ScratchMarch 30, 2019 11:39 AM

To be clear: my supposition is that the MACs were collected from a single LAN, or perhaps a group of related LANs, by an intruder. I would like to know what the investigators know about the MAC addresses in question; there is no comment on this from the authors or from Kaspersky.

If the MACs represent a commercial or government entity, then there is a good chance that the network adapters were made by the same manufacturer - with the result that the default MAC address of many of those adapters will share the same prefix.

Have the owners of these LANs been notified? Or even identified?

I suspect that quite a lot of information about this story has been kept under wraps.

1&1~=UmmMarch 30, 2019 12:44 PM

@Denton Scratch @Tatütata:

"So whoever targeted those MACs had either laid hands on the corresponding PCs"

There are potentially another ways.

You could also get them from hotels and confrences etc where your target 'uses the WiFi', it's not exactly difficult to turn an Android Mobile Phone into a WiFi sniffer. You could also just act as an AP with an Android phone without any modification so you could just walk up and sit at the same table with your phone in your top pocket...

Also there are less obvious ways favoured by various ICs so either 'hands on' in the supply chain or 'access to records' from the supply chain may well work.

Because MACs are --allegedly-- unique, they do get used from time to time as 'serial numbers' in software and the like (stupid I know but then anything to save 0.01cents in FMCE design).

But geting access to corporate LANs may not be as difficult as it sounds. Remember those Russia's that got the order of the boot for activities incompatible with diplomatic behaviour?

They were set up to go WiFi sniffing from a hotel car park to a target organisation. It's altogether possible there has been a 'drive by' passive sniff of traffic from a commercial site and the WiFi MACs are what are in the file.

The thing that a lot of people either do not know or have forgotton is MACs are like ISBNs not only are they effectively unique, they get issued in blocks or ranges, thus the first digits are in effect a 'Manufacturers Code' and due to the way things get manufactured other digits may end up being the equivalent of a 'model number'.

If the MACs were obtained from a 'drive by' it's also possible that this attack against Asus is not unique and other manufactures support sites have also been attacked in the same way...

RachElMarch 30, 2019 11:48 PM

Tatütata
OK, now we know that the malware was written by a 100€ rent-a-coder. :-)

See! Code cutters CAN be professionals :-)


65535March 31, 2019 12:00 AM

@ 1&1~=Umm and Denton Scratch

"They do say 'acorns don't fall far from the tree'...Microsoft either don't know the warm body names of the two people they think they have found behind Barium or they are being a little cautious."

Yes, that makes me wonder.

As for the Russian and the Chinese - it is always them.

As for the MAC targeting that is very interesting.

"I suspect that quite a lot of information about this story has been kept under wraps."-Dent

Yes, that is my reading of the situation. That also makes me wonder.

Rach ElMarch 31, 2019 1:59 AM

65535
I wonder if MAC spoofing would circumvent the malware, or whether it is sufficiently sophisticated to seek out the hardcoded original MAC of the hardware. As I believe has already been mentioned, 600 is such a tiny number. It is so specific!

1&1~=UmmMarch 31, 2019 4:30 AM

@65535:

"As for the Russian and the Chinese - it is always them."

Of course not, nor is it just the US 'Evil Axis of Four' which adds Iran and North Korea, they are all 'distant bogiemen who's faces the people will never see, and who's voices will never be heard' so convenient as 'whiping boys'.

Why? Because we actually know that any and every Nation State with the ability to do it 'are doing it' and even those without the native ability are 'buying it in' or in effect 'outsourcing it'. Because if they were not there would not be so many private companies making very large amounts of money from packaging up exploits and back end big data systems for them. As somebody used to point out here about the US and the 'Evil Axis,of four', 'logically it does not make sense', thus is either highly improbable or effectively in human terms impossible.

But if you agree or not with the further 'Orwellian 1984' premise that 'Every great state requires a distant enemy for the people to focus on' as a way to stop them 'focusing on their state and it's failings towards them'. The US administrations 'Evil Axis of four' is unquestionably a cynically motivated political driven narative, ment as a diversion from the real state of things... Such behaviour, would more properly be called propaganda, if the US Goverment was legaly alowed to use it. But supposadly they are not, so instead we could use a nu-speak name of 'Fake-News', or should it be 'Real-News' (with the unwritten tag line of 'We know it's Real because we reboil it fresh every day for you to consume').

As for 'keeping it under wraps' I doubt we will ever know the truth. If things can be made out to be 'A distant enemy' then indictments can be issued, Grand Juries held, and a ham sandwich can be tried in absentia, massive fines levied, and thus sactions issued. All like a well oiled machine unless like a group of Russians you instruct US lawyers to contest the indictments from day one...

1&1~=UmmMarch 31, 2019 5:10 AM

@Rach El:

"I wonder if MAC spoofing would circumvent the malware, or whether it is sufficiently sophisticated to seek out the hardcoded original MAC of the hardware."

The reason I said 'MACs are --allegedly-- unique' is that back a long time ago with the NE2000 cheapnet ethernet card, hardware manufacturers started using 'Electricaly Erasable Programmable Read Only Memory' (EEPROM) that we now call 'Flash' memory to store the MAC in, so there is not actually a 'hardcoded original MAC' any more, which is why it's daft to use it with the likes of Radius etc as an authentication method.

So yes not just run time spoofing will work but with the right bit of code the Flash can be changed as well (failing that at one time a hardware 'chip clamp' and change it electrically, if the Flash is a seperate chip, which in these days of SoCs is less likely).

What people tend to forget in this day and age of security vunerabilities is that 'knowing a number' is not a way to authenticate. Likewise 'using a secret number' is no better when people have access to the hardware. For two reasons,

1, Layers of software.
2, Manufacturing returns.

There are so many layers of software between the 'number' and the interface over which authentication happens that it's not possible to check and verify on a remote machine, because it can be programed to lie (look up 'Gödel Machines').

The profit in 'Fast Moving Consumer Electronics' (FMCE) is quite small (to non existant with IoT). The cost of a 'return for repair' is eyewateringly expensive when compared to that of the distribution cost. Therefore anything and everything that can be done remotely across a near zero cost to transfer information network is going to be done. This in effect means 'full mutability' even in the CPU. As long as things are mutable someone is going to change then, as that is the nature of the human condition. No matter what security you put in place on the hardware, someone will work out how to get around it, again it's part of the human condition.

Any one who ignores those two facts is in for a rude shock as the 'Cable and Satellite set top box' manufacturers found out over and over again.

65535March 31, 2019 3:39 PM

@ Rach El and 1&1~=Umm

“I believe has already been mentioned, 600 is such a tiny number. It is so specific!”

Yes, I agree. That sounds like a targeted attack. Give then next post…it makes me wonder.

“As for 'keeping it under wraps' I doubt we will ever know the truth.” -1&1~=Umm

That usually takes a large amount power and machinery in the States – wilth all the leaks… Snowden and so on. But, NSLs are a powerful tool.

Sure, any truly well financed and focused nation or group could have done it. We will have to wait and see.

1&1~=UmmMarch 31, 2019 10:00 PM

@65535 @Rach El:

"Sure, any truly well financed and focused nation or group could have done it."

But 'the law of the acorn' like Ocams Razor is most often a good indicator, as is the old saying about 'a dog and it's vomit' or 'criminals and the scene of the crime'.

So yup if I had to make a small wager, 'nation state' and one that's been caught 'red handed' tampering with not just the 'supply chain' but also 'code signing'. Which kind of indicates the US IC.

But it would only be a small wager, because in the hall of 'smoke and mirrors' that is 'The Great Game' play room that even Kipling noticed, like many children they also like to play 'follow my leader' and 'Simon Says' (which is also what the banks did that got us into 'Banking Crisis One' and 'Banking Crisis Two').

JoshApril 1, 2019 3:58 AM

"MAC addresses don't generally propagate over IP; the Asus update server doesn't see the visitor's MAC address. "

I'm not quite so sure that MAC don't propagate over IP.

citizen0April 1, 2019 9:28 PM

"supply chain security is "an incredibly complex problem.""

Why?

It seems to me the answer is simple: Corporations need to stop using minimal security to save $$, or be held financially accountable when they don't.

Every time we see major corporations being hacked, there's a rush of people saying "security is hard" but when the next attack occurrs, it seems as if they've attempted nothing to abate it.

Questions nobody is asking:

1. How did hackers upload the trojan to the update server?
2. WHY was the update server not made read-only on the public side?
3. WHY doesn't ASUS have the ability to check any new files added to their servers with a hash table to see if it is one of their own?

All these corporate hacks make me think of a person who, in order to save money, decided to only put screen doors on their house instead of lock-and-key doors. Then they wonder why they keep getting robbed.

1&1~=UmmApril 2, 2019 5:13 AM

@:

"Why?"

Simple answer, is if the NSA with one of the largest budgets in the world can not get it right, how much do you think it would cost consumers for all companies to get it right?

Yup economic activity as we currently know it would cease to exist and apart from security work as guard labour so would most jobs.

With regards,

"Questions nobody is asking:"

Some of them have been asked befor, in fact years before. I used to advise clients that web sites should where possible be static and read only or deploy a checking method as I described above,

"'In essence a copy of the files in genuine Read Only Format needs to be put on an effectively hidden computer. It either pulls the files on the public server down to check them every half hour or so. Or it's a little more sophisticated and checks the files 'off the wire' as users download them. Either way the malware substitute would have been caught very very quickly.'"

But as I noted above it does not solve all of the problems as 'State Level' attackers have shown they have other methods that site owners can do nothing about.

Petre Peter April 3, 2019 7:44 PM

Updates need to be authenticated, to prevent attackers from tricking you into installing a malicious update.

1&1~=UmmApril 4, 2019 2:40 AM

@Petre Peter:

"Updates need to be authenticated, to prevent attackers from tricking you into installing a malicious update."

The malicious update in this case was authenticated, that's why so many machines accepted the download.

The simple fact is 'code signing' is not a very good way to do such authetication, and it never has been, as people have indicated on this blog and other places in the past decade or so.

For authentication to work it has to be robust in security terms and not subject to numerous 'single points of failure' like having multiple people with access to the 'secret'. Even past US Presidents now long dead knew that ('Three can keep a secret if two of them are dead' - Benjamin Franklin).

Code signing as it is currently used is based on a single 'secret' that for the process to be orgaisationaly robust in human terms 'many have to get access to it'.

So code signing as it's currently used gives you a choice of two alternatives,

1, Be robust as a process.
2, Be robust as an authenticator.

You can't realy have both in an organisation, so what ever you implement to try and get both is very likely to fail at both.

The problem is nobody has yet come up with an idea that has been made public that is both organisationaly robust and authenticationaly robust.

The one thing we do know from other experience in related areas, is that if somebody publishes a new idea to try and cover both bases, then it is likely to be overly complex, thus full of other attack vectors.

So 'Heads you lose, tails they win, and on the edge is not stable'...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.