Unsigned firmware in Wi-Fi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers could allow hackers to plant malware on devices that would go undetected by security software, warn security researchers.
Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware, said a report by Eclypsium.
Peripheral devices and accessories often lack the same security best practices that we take for granted in operating systems and in other more visible components, like the UEFI or BIOS.
“Specifically, many peripheral devices do not verify that firmware is properly signed with a high quality public/private key before running the code. This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run,” report said.
Eclypsium researchers analysed a Lenovo ThinkPad X1 Carbon 6th Gen laptop and found that the Touchpad and TrackPoint use insecure firmware update mechanisms.
“Specifically, cryptographic signature verification was not required at the device level before firmware updates were applied. This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components,” the report said.
Eclypsium researched the firmware updates distributed by HP for the HP Wide Vision FHD camera found in the HP Spectre x360 Convertible 13-ap0xxx laptop.
“We found that the firmware update was unencrypted and lacked authenticity checks. We also found that the firmware could be modified to alter USB descriptors using the HP-provided update tool,” they said.
Researchers added that unsigned firmware in peripheral devices remains a highly overlooked aspect of cyber-security.
“Given the widespread nature of unsigned firmware, enterprises should scan their devices for any vulnerable components, and should assess the firmware posture of new devices during procurement,” the report warned.
As device firmware executes on a computer before the operating system starts, the protections present from anti-malware solutions are rendered ineffective due to the ability of malicious firmware to behave in ways that allows anti-malware to believe there is nothing wrong with the computer system, said Tim Mackey, senior principal consultant at the Synopsys CyRC (Cybersecurity Research Centre).
“In the end, consumers of any software, whether packaged commercial one, IoT firmware, computer drivers, or open source solutions, should first directly contact the supplier of their software for any updates or patches. While it might be convenient to apply a patch following an internet search, the reality is that third-party repositories could easily host malicious versions of software. This is why the first principle of patch management is to know where the software came from as that’s where any patches need to also originate,” he told SC Media UK.
Michael Barragry, operations lead at edgescan, noted that it seems a bit strange that software signing has become a modern standard when it comes to various programs and executables in general, whereas it has apparently been ignored for firmware on a massive scale. The practice of software signing ensures that an end-user can verify that what they are downloading is from a trusted source and has not been tampered with by a malicious actor somewhere along the way.
“Failing to do this for firmware essentially gives a free pass for malicious code to enter your system. Depending on the hardware that falls under the control of the firmware in question, this could lead to a multitude of attacks. Addressing this threat from an industry-wide perspective is not a small task and will require collective effort and cooperation from hardware vendors and OS manufacturers alike,” he told SC Media UK.