top | item 39472977

(no title)

This reminds me of a thing from a few years ago, my vague memory is that it was by Travis Goodspeed.

A smart TV would accept a firmware update from a file on a standard USB stick.

The TV reads the file start to finish to check the digital signature then reads it again to update.

A device that is pretending to be a USB storage device can send a manufacturer firmware file the first time then send your unofficial firmware after.

discuss

zrail|2 years ago

Nice. This is a class of error with the delightful acronym TOCTOU (Time of Check to Time of Use) which is present in an astonishing number of places.

https://en.m.wikipedia.org/wiki/Time-of-check_to_time-of-use

TeMPOraL|2 years ago

No surprise, those are near-impossible to avoid. I mean, a simple:

  if(check(resource)) {
    use(resource);
  }

is already vulnerable, unless you somehow make the entire piece of code run atomically.

hypercube33|2 years ago

Correct me if I'm wrong but I think that's how Gameboy carts show custom logos bypassing the Nintendo copyright check thing - one logo to pass the internal check and another for display.