That threw me back in my chair for a second too... then I looked closer and there is a reason they glossed over that part in the talk. Neither of these are really pure privilege escalation, more social engineering. The Windows privilege escalation requires at least user clicking through a UAC prompt, as the signed BIOS modification software would need to be invoked. The Linux privilege escalation requires that amifldrv kernel module be previously installed by super user/root. And, if installed properly, permissions would be set to deny anyway.

Remember to drill through your HDD after each use. 😊

Just zero your ssd and bios. Then reflash, reinstall os and old games from cds, and never connect to the internet.

Wrong. If your PC randomly sleeps, unplug/replug the power cord.

Suddenly feeling vindicated for not trusting sleep states at all for the last 5 years. Between fastboot, Windows fast startup, and sleep states, I had a feeling one of them would have some sort of ACE bug. My work laptop runs Linux so it's not as much of an issue to just shut it down and start it back up when I switch between sites.

@@sovahc true xD it's that last bit where things start to get all weird. "ooh, lemme connect this to an enormous network of computers and just hope there aren't any mischievous folk online." also is it possible to flash the disk with modified firmware, sorta like b/rootkit type thingamabob?

Your lack of understanding does not change the complexity of the world around you. IE. Just because you don't get it doesn't' mean it is not worthwhile.

@@Look_What_You_Did I was thinking in terms of inspiring youngsters to think about how to approach "hacking" philosophically. You don't seriously come here to get serious oh days, do you? Even black hat is losing it's edge thanks to infiltration by gov and corp hacks

​@@Look_What_You_DidA complete lack of understanding probably would make it considerably less interesting, however.

@@Munch473 thanks! After sifting through everything from this year, there's a couple of great ones where the speaker "slipped through the filters". I love talks like Bill Swearingen at Def Con 27. That stuff is useful and in the true spirit of the con IMHO..

Says the idiot who can’t understand the lectures 😂😂

More or less 'yes', and these aren't the first nor last attacks on the ME (from memory I can think of attacks going at least as far back as '09, and that's just what I can remember from the top of my head). It's a sophisticated piece of technical liability, potentially a backdoor (even if not intended to be one) and definitely a hardware level rootkit (again, even if not intended as one). This is one, among many, reasons why I advocate for a RISC architecture without all this extra complexity, I don't really care which one (there are pros and cons to most of them and it's above my paygrade). I have similar opinions about TPM (Trusted Platform Module -- version 2.0 especially but 1.0 as well to an extent), and AMD's equivalent PSP (I don't remember what their acronym stands for), but that's a topic for another time.

For those who did not listen the talk carefully. This is not an ME attack. This is done entirely on a CPU.

That is correct, and worth mentioning since this comment thread is a little bit off-topic.

Intel ME and AMD PSP are even further up the food chain and their inner workings are invisible to code running in SMM. The very first version of SMM was found on the 386, though I doubt that early revision of it is vulnerable to this particular attack method. Unless I'm mistaken though, this can be at least mostly mitigated with a UEFI update.

You never trust a cloud 😶‍🌫

Prove it

Unless your hardware is deep retro, there's UEFI there, just possibly pretending to be a BIOS.

I´ll be deep retro, then. Asus P5K but maxed out. Enough power for what I want and reliable. Hope it never fails...@@jsrodman

​@@LaLaLand.GermanyI'm commenting during the introduction of this talk, but SMM has been supported by x86 processors since the early 1990s. If you go back that far, you'll probably get some security through obscurity, but vendors don't bother writing patches for any security bugs in stuff that old. Anyway, this looks like a local privilege escalation attack. Generally I'd consider a machine compromised by the time that's feasible (unless it's doable from JS, like Spectre was... speaking of which, how are the Meltdown mitigations on your Bearlake processor?) because the attacker generally can do a lot with just normal user permissions on a desktop.

It does.

No, but most servers and consumer machines do...