Researchers discovered multiple unsigned firmware in various system components such as WiFi adapters, USB hubs, trackpads, and cameras used in Lenovo, Dell, HP and other major manufacturers.
The flaws existing in these components allowed the attackers to compromise millions of Windows and Linux systems, and exfiltrate the data, disrupt the operation also implant the malware.
Once firmware components are infected, it allowed attackers to implant malware that stays undetected by any software security controls.
The primary issue in the flaw is that many of the peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code.
It means these above list components have no way to validate that the firmware loaded by the device is properly authenticated and trusted.
It can be taking advantage of the attacker and simply insert a malicious or vulnerable firmware image that eventually trusted by the component blindly and let it run on the device.
In results, Unsigned firmware in wifi adapters, USB hubs, trackpads, laptop cameras and network interface cards provides multiple pathways for malicious attackers to compromise laptops and servers.
Researchers explain the following very simple and powerful scenario for an attack:
- An attacker gains access to a device via any method, such as malware delivered via email or a malicious website, or an evil maid attack. With basic user privileges, the attacker/malware could write malicious firmware to a vulnerable component.
- If the component doesn’t require the firmware to be properly signed, the attacker’s code is loaded and run by the component.
- The attacker can then use the unique functionality and privileges of that component to further an attack.
For example, If the malicious firmware implant in the network adaptor, it allows attackers to sniff, copy, redirect, or alter traffic leading to a loss of data, man-in-the-middle and other attacks.
Insecure Firmware In Peripherals
Researchers from Eclypsium explains some of the vulnerable firmware in various computer brands such as Lenovo, Dell and USB adapter.
Touchpad and TrackPoint Firmware in Lenovo Laptops:
Researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop that used the following firmware.
- Touchpad Firmware: pr2812761-tm3288-011-0808.img
- TrackPoint Firmware: PSG5E5_RANKA_fv06.bin
Both firmware contains an insecure update mechanism, and it doesn’t require any cryptographic signature verification before applied the firmware update.
It potentially allowed attackers to modify the firmware images through software to run arbitrary malicious code within these components.
HP Wide Vision FHD Camera Firmware in HP Laptops:-
A firmware update distributed by HP components was unencrypted and lacked authenticity checks.
Also, these firmware doesn’t contains any form of cryptographic signature or other authenticity information.
“Researchers confirmed this vulnerability by modifying USB descriptors on a device that was updated with the tool. Of particular note, the SunplusIT firmware updater can successfully update a device even as a normal user. Firmware updates should require Administrator access.”
WiFi Adapter on Dell XPS Laptop:-
During this research, experts demonstrate the flaw that allows modifying the firmware of the WiFi adapter on a Dell XPS 15 9560 laptops running Windows 10.
In this above image, the firmware image for the WiFi adapter is correctly signed by the drivers and also it displayed the small certificate icon.
Once researchers modified the firmware image for the Wifi adapter, the certificate icon is gone way.
Researchers tested the unsigned firmware in a network interface card (NIC) chipset, in which specifically the Broadcom BCM5719 chipset in the NIC was used in this demonstration, and is commonly used in current-generation servers from multiple manufacturers.
In this demonstration, researchers intercept the contents of BMC network packets, provide those contents to malware running on the host and also they were able to modify BMC traffic online.
A malicious attack on a NIC can have a profound impact on the server, compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware.
These critical flaws clearly indicate that unsigned firmware can lead to the loss of data, integrity, and privacy, and can allow attackers to gain privileges and hide from traditional security controls.