Researchers have discovered multiple instances of unsigned firmware in computer peripherals that can be used by malicious actors to attack laptops and servers running Windows and Linux.
The Eclypsium researchers were able to find unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras that are actively used with computers from Dell, HP, Lenovo, and other major manufacturers according to a report shared with BleepingComputer last week.
This is a big problem since millions of such devices are directly exposed to attacks designed to abuse this flaw to harvest and exfiltrate the users’ sensitive information, to trigger denial-of-service states, and infect them with various malware strains such as ransomware.
Attacks abusing firmware flaws have previously used the firmware flasher modules in Equation Group’s EquationDrug and GrayFish espionage platforms since at least 2010 to replace a device’s legitimate firmware with a malicious one containing malicious payloads flashed on the spot.
Vulnerable trackpads, cameras, Wi-Fi adapters, and USB hubs
Attackers can take advantage of unsigned firmware in several ways depending on the component they manage to compromise by abusing this flaw.
In the case of network adapters, they can capture or alter the network traffic, while PCI devices would enable them to steal information and even take over the system via Direct Memory Access (DMA) attacks.
On the other hand, by taking full control over a target’s camera should allow them to start capturing video and audio content from their surroundings while abusing the firmware of a hard drive connected to their computer makes it possible to drop malicious tools and run malicious code that would completely escape operating system security checks.
“However, the overall issue remains the same. If a component doesn’t require signed firmware, an attacker can easily gain control over the component, typically without the need for special privileges,” the report says.
Below you can find a few examples of insecure firmware Eclipsium researchers were able to discover in various peripherals:
• Touchpad and TrackPoint Firmware in Lenovo ThinkPad X1 Carbon 6th Gen laptop: firmware update with no cryptographic signature checks.
• HP Wide Vision FHD Camera Firmware in HP Spectre x360 Convertible 13-ap0xxx laptop: unencrypted firmware update with no auth checks.
• WiFi Adapter on Dell XPS 15 9560 a laptop: modified firmware still successfully loads despite Windows 10 signing checks.
• USB Hub firmware: VLI USB Hub firmware for Linux is unsigned.
The researchers said that even though they tested a specific device for each particular peripheral, “other models and even other vendors would have the same issues.”
“Lenovo has indicated that the ODM does not have a mechanism to fix this in the current generation of the product,” while “HP has indicated that they are working on a firmware update and that upcoming camera generations will have signed firmware in future models.”
In the case of the Dell XPS laptop, there is no clear answer who is responsible for making sure that the driver and firmware are properly signed since Qualcomm — the chipset maker and driver developer — said that this should be Microsoft’s responsibility and that no signature verification for these chips is planned.
Microsoft replied saying that the device vendor should be the one to block malicious firmware from being loaded on the device.
Intercepting BMC traffic
As part of the research, Eclypsium was also able to demonstrate a successful attack on a server with a network interface card (NIC) using a Broadcom BCM5719 chipset and unsigned firmware, a NIC used by servers from multiple major server manufacturers.
Besides its popularity, the researchers also chose this specific model because it is known as a NIC that doesn’t perform signature checks on the firmware that gets uploaded from the host.
Even though the software on the host wouldn’t be privy to the server’s baseboard management controller (BMC) traffic, Eclypsium was able to load their own modified firmware “into the NIC in a system where the BMC is configured to share the NIC with the host.”
This allowed them to analyze MC network packet contents, a capability that can be used by malware for spying purposes or for altering BMC traffic in real-time.
“This could also be used to block alerts sent from the BMC to a central logging server, selectively redirect them to a different server, copy and send traffic to a remote location for analysis, as well as make outgoing network connections to a remote command and control server directly from the NIC itself without the host or BMC being aware that any of this is happening,” the report adds.
Also, because the NIC was a PCI-based device, attackers could launch DMA attacks that would enable them to bypass the main CPU and OS to access the system memory directly, stealing information and even taking full control of the compromised server.
Unsigned firmware is an overlooked threat
While Apple’s macOS automatically checks driver packages and firmware for signatures every time they are loaded to prevent attacks that would abuse unsigned firmware, Windows and Linux will only perform signature verification when the firmware or drivers are initially installed.
“Unfortunately, the problems posed by unsigned firmware are not easy to fix. If the component wasn’t designed to check for signed firmware, it often
can’t be fixed with a firmware update,” Eclypsium concludes.
“In many cases, the underlying problem in a device or product line can’t be fixed at all, meaning that all of the devices in that product line will continue to be vulnerable throughout their lifetime.”
All in all, unsigned firmware in various peripheral devices is a big cybersecurity issue and also a commonly overlooked one that could lead to severe security problems including loss of data, integrity, and privacy, as well as help threat actors escalate their privileges and bypass security controls that would otherwise effectively stop their attacks.
“Software and network vulnerabilities are often the more-obvious focus of organizations’ security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,” TAG Cyber Senior Analyst Katie Teitler said.
“This could lead to implanted backdoors, network traffic sniffing, data exfiltration, and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch. Best practice is to deploy automated scanning for vulnerabilities and misconfigurations at the component level, and continuously monitor for new issues or exploits.”