Reply to post: Re: Downgrade attack?

CTS who? AMD brushes off chipset security bugs with firmware patches

Wayland Bronze badge

Re: Downgrade attack?

Whitepines, that is a good point. People always assume the attack will happen once the machine goes live but tinkering with it before it's delivered would be a powerful attack. We recently had questions about the security of Supermicro machines because they are Chinese. This then changed into someone adding tiny chips to the motherboard. That whole business seemed odd but it did expose the idea that the machines could have been altered on route to the customer.

I think proper physical security of the packaging would help but then the route in would be a customs inspection. Just boot the machines to a a USB stick and insert the firmware changes.

I'm not sure how reliable that would be as a compromise since most people grab the latest firmware before installing the OS. I'm not sure if microcode stays in the CPU or is loaded at boot time. It's obviously the sort of thing very security conscious people would know to check and ordinary computer builders would never think of.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2019