Computer Peripheral Manufacturers Come Under The Scanner For Using Unsigned Firmware
- These peripherals are actively used with computers made by Lenovo, HP, Dell, and other manufacturers.
- After the disclosure, many HDD and SSD vendors made changes to ensure their components would only accept valid firmware.
Failing to adopt signed firmware for computer peripherals has put millions of Windows and Linux systems at risk. New research has revealed that unsigned firmware used in WiFi adapters, USB hubs, trackpads, laptop cameras, and network interface cards can be abused to compromise computers and servers.
These peripherals are actively used with computers from Lenovo, HP, Dell, and other manufacturers.
Examples of insecure firmware
Researchers from Eclypsium analyzed a couple of devices using insecure firmware. This included touchpad and TrackPoint firmware in Lenovo laptops, HP Wide Vision FHD camera firmware in HP laptops, WiFi adapter on Dell XPS laptop, and VLI USB Hub firmware.
Though the ways to abuse the firmware varied from component to component, the final result could allow an attacker to sniff, copy, redirect or alter traffic, launch man-in-the-middle attacks and more.
“PCI-based devices could enable Direct Memory Access (DMA) attacks that could easily steal data or take full control of the victim system. Cameras could be used to capture data from the user’s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system. However, the overall issue remains the same,” said researchers in a blog post.
Firmware attack demonstration
Researchers demonstrated the attack through an unsigned firmware in the Broadcom BCM5719 (NIC) chipset. They highlighted that a malicious attack on a NIC can have a profound impact on the server.
This could lead to “compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware. Such an attack could disconnect a server from a network upon a signal, disrupting connectivity for an entire data center”.
What has been done to address the issue?
After the disclosure, many HDD and SSD vendors made changes to ensure their components would only accept valid firmware. However, there are many that are yet to follow the routine of using signed firmware.
Meanwhile, researchers have noted that in many cases, the underlying problem in a device or product line cannot be fixed at all. This indicates that all of the devices in that product line will continue to be vulnerable throughout the lifetime.