Researchers from security firm Eclypsium have publicly disclosed that millions of Windows and Linux systems sold by Dell, HP, Lenovo and others are vulnerable to attacks due to the unsigned firmware of peripheral components.
According to the researchers, both vendors and attackers have known about this attack vector since at least 2015; however, the vendors don’t seem in much of a hurry to sign their firmware yet. The unsigned firmware of laptop cameras, network interface cards, trackpads, USB hubs and Wi-Fi adapters are leaving millions of systems vulnerable to both data theft and ransomware.
Dell XPS 15 9560 Wireless Adapter
The researchers found that the firmware of the Dell XPS 15 9560 wireless adapter could be modified in ways that could enable attackers to take over the device. When contacting Dell, Qualcomm, whose chip powered the wireless adapter, as well as Microsoft, the three companies seemed to lay the blame on each other.
Qualcomm said the software running on top of the CPU should validate the security of the firmware. Dell said that it’s working with its supplier to understand the impact of the security issue, and Microsoft said that it’s the driver maker that needs to ensure the security of the firmware.
HP Wide-Vision FHD Camera
The researchers found that the firmware updates for the HP Wide-Vision FHD camera inside the HP Spectre X360 13" convertible laptop also lacked encryption and authentication checks. The firmware could also be easily modified using an HP-provided tool.
The good news is that HP told Eclypsium researchers that future camera generations will come with signed firmware. However, they didn’t specify whether or not the firmware updates will also be encrypted. Furthermore, HP basically says that existing cameras and devices will remain vulnerable.
Lenovo ThinkPad Touchpad and Trackpad
The researchers also found a security issue with the touchpad firmware for the Lenovo ThinkPad X1 Carbon 6th Gen laptop -- the firmware for the Synaptics touchpad and Trackpoint didn’t receive encrypted and signed updates.
Lenovo told Eclypsium that it recognizes the problem and that it’s encouraging its suppliers to solve it for future generations.
Stephen Schultis, vice-president in the PC Division at Synaptics, seems to have been more dismissive about the issue, arguing that its firmware doesn’t need cryptographic signing because the code is proprietary. Schultis is implying that because the code is proprietary that means it should be difficult for attackers to exploit it.
However, the reality is another. Suppliers are already appealing targets of supply chain attacks, a type of attack whose occurrence has increased in the past several years, because exploiting a component in a PC means you could take over millions of PCs.
Furthermore, proprietary code has rarely stopped determined attackers, especially when getting access to the firmware is as easy as buying a laptop that has a Synaptics touchpad.
Linux USB Hubs and Broadcom Network Interface Cards
The researchers also looked at the Linux Vendor Firmware Service and discovered unsigned USB hub firmware. They also attacked unsigned firmware for the Broadcom BCM5719 chipset used in many network interface cards (NICs) that come with current-generation servers.
The card is connected to a PCI bus and could enable direct memory access and therefore the complete take over of the server. Broadcom hasn’t yet made a statement about this issue.
So, Who Needs to Fix the Peripheral Firmware Security?
After all of this research, the Eclypsium researchers were confused as to who even takes responsibility for firmware security, if it’s anyone at all. However, they don’t believe that the security of the driver should reside inside the driver, as a malicious party with privileged access to a machine can easily replace the clean firmware with a malicious one.
Therefore, some other layer of security outside of the driver itself needs to prevent that from happening. We saw recently that attackers have already begun doing this sort of attack because it also bypasses antivirus protections.
The Eclypsium researchers gave a dire warning as well, saying that this type of attack can’t be easily mitigated by the user, but for now the biggest targets of these attacks will likely be enterprise companies and data centers. The attacks allow data exfiltration and ransomware, making it ideal to use against business computers and servers.