Our Pwn2Own journey against time and randomness (part 2)

We discussed this vulnerability during Episode 223 on 13 November 2023

Just a somewhat common and vulnerable use a cryptography. The signature of a firmware was not truly a signature but a hash of the content + a secret key, as the binary code that verifies the firmware is present on the device the “secret” key used is not kept secret and one could create their own firmware that would pass the signature check but contain arbitrary content. We covered this post on our bounty-hunting episode, and while few bounty hunters are looking at firmwares, this sort of crypto issue appears all over the place. Developers sometimes see crypto as something they can kinda just sprinkle into their applications, without necessarily understanding the nuances of the different options, we’ve definitely seen similar hashes appear on the web for integrity checks before.