Researchers at firmware security company Eclypsium on Tuesday released new research that identifies and confirms unsigned firmware in WiFi adapters, USB hubs, trackpads and cameras used in Windows and Linux computer and server products from Lenovo, Dell, HP and other major manufacturers.
Eclypsium also demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers.
The demonstration shows the exposed attack vector once firmware on any of these components is infected using the issues the report describes. The malware stays undetected by any software security controls.
Unsigned firmware provides multiple pathways for malicious actors to compromise laptops and servers. That leaves millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware, warned Eclypsium.
Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity. Depending on the capabilities of the component, unsigned firmware can lead to the loss of data, integrity and privacy. It also can allow attackers to gain privileges and hide from traditional security controls, notes the report, titled “Perilous Peripherals: the Hidden Dangers Inside Windows & Linux Computers.”
Software and network vulnerabilities are often the more obvious focus of organizations’ security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device, according to Katie Teitler, senior analyst at TAG Cyber.
“This could lead to implanted back doors, network traffic sniffing, data exfiltration, and more,” she told LinuxInsider.
The “Perilous Peripherals” report is based on original research conducted by members of Eclypsium’s research team. They include principal researchers Rick Altherr, Mickey Shkatov, Jesse Michael and CTO Alex Bazhaniuk.
Work on this research began more than18 months ago and was completed this February. The study was self-funded by the company, according to Jesse Michael, the report’s principal researcher.
“It is safe to assume that tens of millions — if not hundreds of millions — of systems have these specific unsigned firmware components,” Michael told LinuxInsider.
For example, annual server shipments are around 12 million, and annual laptop shipments number approximately 200 million units. While the specific vulnerabilities identified in this report affect only a portion of all shipped systems, unsigned firmware components are prevalent within the industry, he explained.
“We have yet to find a system that does not include such components,” Michael said.
The problem surrounding unsigned firmware surfaced five years ago. Security researchers found the Equation Group’s HDD implants lurking in the wild. That was a wake-up call introducing the computer industry to the power of firmware hacking and the underlying dangers posed by unsigned firmware in peripheral devices, according to Eclypsium’s report.
There have been pockets of progress in dealing with the problem in recent years. However, much of the industry continues to turn a blind eye to the risks of unsigned firmware, Elypsium’s research indicates.
In carrying out four separate research projects, Elypsium’s team found unsigned firmware in WiFi adapters, USB hubs, trackpads and cameras in a variety of enterprise devices. These issues can be devastating to the security and operation of the devices.
“More often than not, [they] are very difficult to fix. Disruption to components such as network cards, drives and other peripherals can completely disable the device or provide attackers with ways to steal data, deliver ransomware and hide from security,” the report states.
These weaknesses are widespread across components in laptops and servers, the new Eclypsium research shows. They offer multiple pathways for malicious attacks.
See Eclypsium’s “Know Your Own Device” resource for an overview of some of the most common firmware-enabled components within devices today.
Slow Response, Few Solutions
Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware. When it comes to security, most of the attention goes to the most visible components of a system, such as the operating system and the applications.
In response to the growing number of threats, many organizations have begun to add firmware to their vulnerability management and threat prevention models. However, these efforts are limited to the system firmware — the UEFI or BIOS resident on the main board of a device, explained Michael.
The lurking danger is underscored because virtually every component within a device has its own firmware and its own potential for risk, he said. That includes network adapters, graphics cards, USB devices, cameras, touchpads and trackpads, and more.
“Unfortunately, this issue will be around for quite a while, and we’ll most likely see improvements in next-gen products. But this will not happen all at once. As an industry, we need to pay more attention to hardware and firmware security,” suggested Michael.
Some OEMs, such as HP and Lenovo, have been quick to acknowledge the problem and begin working on solutions with their device/component manufacturers. Signed firmware protections typically require changes within the hardware as well as the firmware. To do that, they must be introduced in a future device revision or model, he added.
Why the Risk
These internal components in peripheral devices are governed by firmware. The firmware may be burned into the integrated circuit of the device itself. Or the component may have its own flash memory where firmware is stored.
In other cases firmware may be provided dynamically by the operating system at boot time. However the firmware is stored, it can act like a miniature computer that governs the low-level behavior of that particular component. This code often is very susceptible to attack, residing in everything from laptops to servers to network devices, according to the report.
Protecting users from the dangers of unsigned firmware requires work by vendors throughout the industry. The original equipment manufacturers (OEMs) and original design manufacturers (ODMs) need to work together to fix these issues.
“By including these types of issues in their risk assessments, organizations can make informed decisions on which peripherals and products are secure and which are not,” said Michael.
Daunting Struggle Ahead
Mitigating the problems unsigned firmware causes over such an extended period of widespread use means a speedy solution is unlikely to come soon — but it is essential to make progress toward that end.
“Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch,” TAG Cyber’s Teitler said. “Best practice is to deploy automated scanning for vulnerabilities and misconfigurations at the component level and continuously monitor for new issues or exploits.”
The problem is that peripheral devices often lack the same security best practices that we take for granted in operating systems and in other more visible components, like the UEFI or BIOS, noted Michael. Specifically, many peripheral devices do not verify that firmware is signed properly with a high-quality public/private key before running the code.
This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker simply could insert a malicious or vulnerable firmware image, which the component would trust blindly and run, he cautioned.
No Clear Path Forward
These components are inside laptops and servers, but it is often up to the individual device/component manufacturers to introduce mitigations.
Most organizations do not have the mature processes needed to handle security flaws at this level or assign Common Vulnerabilities and Exposures (CVE) reports, according to Yuriy Buygin, CEO of Eclypsium.
Often, aging hardware becomes a bigger part of the problem. Technical methods to provide robust fixes for fielded products are unavailable because of an old hardware design, he said.
“So we will see these issues for years to come, and the only way to improve this is to keep finding vulnerabilities, alerting the public, and helping device vendors to establish better firmware security,” Buygin told LinuxInsider.
Eclypsium researchers demonstrated how unsigned firmware can be abused as part of a real-world attack.
The company’s report details how an attacker who gains control over a peripheral component can use the component’s functionality for malicious purposes. The attacker potentially can gain new privileges and even get control over the entire system.
The demonstration shows Eclypsium researchers attacking unsigned firmware in a network interface card (NIC) chipset. A malicious attack on the card can have a profound impact on the server.
That, in turn, compromises the operating system remotely. It provides the attacker with a remote backdoor for snooping and exfiltrating raw network traffic while bypassing operating system firewalls to extract data or deliver ransomware.
Such an attack could disconnect a server from a network upon a signal, the report warns. That can result in disrupting connectivity for an entire data center.