Latest YouTube Video

Saturday, April 21, 2018

[FD] [SE-2011-01] The origin and impact of vulnerabilities in ST chipsets

Hello All, We have published an initial document describing the origin and impact of the vulnerabilities discovered in ST chipsets along some rationale indicating why it's worth to dig further into this case: https://ift.tt/2vt3C6C This document is a work in progress. As such, it will be updated once new information is acquired regarding the impact of the issues found. ST vulnerabilities are still a mystery to many and we keep receiving inquiries about them regardless of the fact that almost 6 years had passed since the disclosure. STMicroelectronics, although out of STB and DVB chipset business, has not provided us with any details regarding the impact of the issues found. We have reasons to believe that vulnerable IP (TKD Crypto core of STi7111 SoC) might be part of other ST chipsets and/or part of other vendors' solutions, not necessarily related to PayTV industry (e-passports, banking cards and SIM cards). We have reasons to believe that ST actions were aimed to hide the impact of the issues found, that company's shareholders were not aware of these vulnerabilities, their impact and associated liabilities. We have reasons to believe that the issues have not been resolved up to this day. In Mar 2018, we asked CERT-FR (French governmental CSIRT) and IT-CERT (CERT Nazionale Italia) for assistance aimed at obtaining information from STMicroelectronics regarding security issues found in their chipsets (ST is a French-Italian company and both French and Italian governments hold 13.8% of its stake each). For some unknown reason, both CERTs have stopped responding to our messages [1]. We are still to hear from US-CERT. Over the last 20+ years, we have been dealing with various vendors and ecosystems (desktop, cloud, mobile, etc.). The case of STMicroelectronics vulnerabilities is however truly unique as we have never met with such a persistent and long-term refusal to provide information pertaining to the impact and addressing of security vulnerabilities found. The usual "crisis management" conducted by vendors for disclosures of high impact flaws involve carefully-worded statements indicating that the issues affect older products only or in case of low / limited impact flaws, a vendor usually publishes a list of vulnerable products to clearly emphasize the low nature of the issues found. ST refusal to provide any information pertaining to the impact of the flaws found in its chipsets can be perceived in terms of intentionally hiding the impact of a much larger magnitude than anticipated by the reporting party, customers or the public. It could be that these actions are aimed at avoiding the liabilities associated with manufacturing flawed products, the costs of their recalls and/or replacements. ST has all the means to end any speculation pertaining to the nature of the issues found in its chipsets and their impact by simply delivering clear impact information to general public (vulnerable chipset models, whether vulnerable IP is used in other products, possible remediation steps, etc). Security Explorations will continue engaging various entities such as US-CERT in a goal to acquire accurate information pertaining to the impact and addressing of ST vulnerabilities. The newly published document and our SE-2011-01 Vendor Status page will reflect any new information acquired and the steps taken to obtain it. We are also ready to release to the public all unpublished bits pertaining to our research of ST chipsets such as SRP-2018-01 [2] material if deemed necessary. Thank you. Best Regards, Adam Gowdiak

Source: Gmail -> IFTTT-> Blogger

No comments: