Enterprise security company Eclypsium is warning of the dangers from unsigned firmware inside devices from desktops to laptops. The details are contained in a report entitled Perilous Peripherals: The Hidden Dangers Inside Windows and Linux Computers.
In the report the researchers write: “Eclypsium found unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers. We then demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers.”
In addition to the report, the researchers have produced a short video showing how an attack would work. The implications are severe. It allows an attacker to intercept, change and redirect network traffic. It allows the attackers to hide from many security tools as the code is in the firmware which is not scanned by most security software.
In addition, the code is persistent. This means it survives any reset of the infected device. As a result, most organisations incident response plans would fail. This is because they rely on wiping or replacing hard drives and restoring clean versions of data. If the infection sits below this in hardware, the attackers can relaunch their attack over and over again.
Firmware from multiple manufacturers failed the Eclypsium tests
This is not just an attack on a single hardware or peripheral vendor. Eclypsium tested against multiple vendors computers and devices such as trackpads, built-in cameras, Wi-Fi adapters and USB hubs.
They also tested across multiple operating systems. This is important as it demonstrates that it is not just the driver model used by one OS or version of an OS that is at risk. The problem is wider and more endemic across the IT industry.
One of the root causes here is the failure to sign code. While this attack calls out firmware vendors, code-signing has been an issue for decades. It is a regular topic at developer and security conferences. Now we are seeing how the lack of its use has a much wider impact than the software running on a local computer.
Will signing code really work?
Yes it does and there is ample evidence of this. A few years ago, Kaspersky researchers revealed the existence of the Equation Group, an organisation it claimed was linked to the US National Security Agency. It was using a piece of software that enabled the group to reprogram hard disk drives.
The result was that storage manufacturers responded by signing their code to prevent attacks in their firmware. Since then, however, there has been little action taken to secure the firmware inside devices. Given the increasing rate of infections of devices, often through unknown causes, it is hard to understand why the industry has not addressed this issue.
Matthew Twells, Head Writer at Comfortably Dumb and Penetration Tester commented: “The use of a strong cryptographically generated keypair is massively important to prevent pre-booting attacks such as firmware flashing. Vulnerabilities like this have been found in a lot of embedded systems, even some voting machines, so it is an important vector to consider when securing embedded systems. This prevents malicious threat actors from crafting custom firmware images and replacing your configuration with their own to steal data.”
Twells’ comment about voting machines is particularly relevant. The United States will elect a new president this year while over 30 other countries have national elections. It will be interesting to see if firmware signing is made a requirement for all those using electronic voting machines.
What CVEs and patches are available to mitigate this?
Enterprise Times asked Eclypsium if it was aware of: any CVEs and patches issued by vendors to mitigate this situation.
It replied: Eclypsium researchers notified HP of the webcam firmware vulnerability on August 4th, 2019. Additionally, we notified Lenovo of the touchpad/trackpoint vulnerability on Lenovo on June 13, 2019. We expect some vendors will issue CVEs, but none have as of yet.
For these peripherals, the OEMs (HP and Lenovo) have to work with their suppliers to develop fixes. From what we’ve seen, most of these existing components were initially designed to have unsigned firmware, making them inherently vulnerable. Our interactions with these OEMs lead us to expect that future systems will have firmware update authentication requirements built in.
We also reported the WiFi issue to both Qualcomm, who provides the chipset and driver for the Killer Wireless card and to Microsoft, who checks that such drivers are signed. Qualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware. They stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device.
ET also asked how many machines does Eclypsium believe are infected?
It replied: It is safe to assume that tens of millions if not hundreds of millions systems have these specific unsigned firmware components. For example, annual server shipments are around 12 million and annual laptops are approximately 200m. While the specific vulnerabilities identified in this report only affect a portion of all shipped systems, unsigned firmware components are prevalent within the industry and we have yet to find a system that does not include such components.
Enterprise Times: What does this mean?
While Eclypsium has called out computers, the problem is far more pervasive than computer systems. The insecure nature of many IoT devices means that they are equally, if not more at risk than computers. As Jason Zander, Executive Vice President, Microsoft Azure pointed out in a podcast, we are moving to a world where we embed more and more software in hardware. If that hardware remains as insecure as that discovered by Eclypsium, the industry is setting itself up for failure.
As governments begin to set stricter security requirements on device manufacturers will we see them look at areas such as code signing? It is entirely possible. The risks from autonomous vehicles are significant. The auto industry is currently working through its plans for security inside autonomous vehicles. What it hasn’t done is require code signing of all firmware, including that from third-party and aftermarket parts. Will it now rethink that?
Firmware is often forgotten when it comes to computer security because it is below the radar of most people. In addition, when it comes to things like network adapters, very few operations teams patch or update firmware unless there is a highly compelling need. They are generally too busy patching software to find time to extend that to the firmware.
The hope is that this report acts as a wake-up call similar to that of the Kaspersky report on the Equation Group. For now, don’t hold your breath. The best you can do is look at the hardware inside your enterprise as pressure suppliers to act.