Posted by: Ken Harthun
Development, Embedded systems, Firmware security, Opinion, Remote management, Security, Security management, Vulnerabilities
My May 29th post, “Phlashing Attack Can Damage Systems Beyond Repair,” generated some attention from Hewlett-Packard’s PR department. Depending on how you read it, my article could be interpreted to imply that their Integrated Lights Out (iLO) embedded remote management interface may be vulnerable to the PhlashDance attack. It wasn’t my intention to imply this and I am convinced that iLO is secure.
After having had a cordial conversation with Doug Hascall, Manager, iLO firmware, Industry Standard Servers, Hewlett-Packard, I agreed to post details about iLO’s security. Here is Doug’s email responding to my article:
I enjoyed our conversation yesterday regarding the security of iLO and the phlash attack referenced by my colleague Richard Smith. As I mentioned on the phone, we take the security of iLO and our HP servers very seriously. This note is to share some of the information we discussed regarding iLO’s flash security.
iLO firmware employs the following flash protections:
* iLO firmware images are digitally signed with a 1024-bit RSA public/private key.
* The digital signature is checked before allowing a firmware update process to continue.
* The digital signature is checked by the iLO boot block every time iLO comes out of reset.
* The iLO boot block can only be flashed by physically changing a switch setting inside the server.
* Flashing the iLO firmware remotely requires login authentication and authorization, including optional two-factor authentication.
* The iLO firmware image to be flashed is completely uploaded into RAM before reprogramming of the flash device.
All ProLiant iLO firmware releases, from the original version that shipped with the ProLiant DL360 G2 in March 2001, have employed these protections.
I conferred with Rich Smith via e-mail to explain the iLO security architecture and to investigate the possibility of iLO being vulnerable to a Phlashing attack. Rich’s assessment was that iLO firmware and its upgradeability appear to have been designed with security in mind and he does not believe that iLO would be susceptible to a phlash attack or the methods used in the phlashdance fuzzer.
Security is a vitally important topic. I appreciate the attention that the security community brings to this topic and the associated opportunity we have to improve our products.
Manager, iLO Firmware
Industry Standard Servers
This is security done right. Are you listening, Microsoft?