Researchers discovered multiple unsigned firmware in various system components such as WiFi adapters, USB hubs, trackpads, and cameras used in Lenovo, Dell, HP and other major manufacturers.
The flaws existing in these components allowed the attackers to compromise millions of Windows and Linux systems, and exfiltrate the data, disrupt the operation also implant the malware.
Once firmware components are infected, it allowed attackers to implant malware that stays undetected by any software security controls.
The primary issue in the flaw is that many of the peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code.
It means these above list components have no way to validate that the firmware loaded by the device is properly authenticated and trusted.
It can be taking advantage of the attacker and simply insert a malicious or vulnerable firmware image that eventually trusted by the component blindly and let it run on the device.
In results, Unsigned firmware in wifi adapters, USB hubs, trackpads, laptop cameras and network interface cards provides multiple pathways for malicious attackers to compromise laptops and servers.
Researchers explain the following very simple and powerful scenario for an attack:
For example, If the malicious firmware implant in the network adaptor, it allows attackers to sniff, copy, redirect, or alter traffic leading to a loss of data, man-in-the-middle and other attacks.
Researchers from Eclypsium explains some of the vulnerable firmware in various computer brands such as Lenovo, Dell and USB adapter.
Researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop that used the following firmware.
Both firmware contains an insecure update mechanism, and it doesn’t require any cryptographic signature verification before applied the firmware update.
It potentially allowed attackers to modify the firmware images through software to run arbitrary malicious code within these components.
A firmware update distributed by HP components was unencrypted and lacked authenticity checks.
Also, these firmware doesn’t contains any form of cryptographic signature or other authenticity information.
“Researchers confirmed this vulnerability by modifying USB descriptors on a device that was updated with the tool. Of particular note, the SunplusIT firmware updater can successfully update a device even as a normal user. Firmware updates should require Administrator access.”
During this research, experts demonstrate the flaw that allows modifying the firmware of the WiFi adapter on a Dell XPS 15 9560 laptops running Windows 10.
In this above image, the firmware image for the WiFi adapter is correctly signed by the drivers and also it displayed the small certificate icon.
Once researchers modified the firmware image for the Wifi adapter, the certificate icon is gone way.
Researchers tested the unsigned firmware in a network interface card (NIC) chipset, in which specifically the Broadcom BCM5719 chipset in the NIC was used in this demonstration, and is commonly used in current-generation servers from multiple manufacturers.
In this demonstration, researchers intercept the contents of BMC network packets, provide those contents to malware running on the host and also they were able to modify BMC traffic online.
A malicious attack on a NIC can have a profound impact on the server, compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware.
These critical flaws clearly indicate that unsigned firmware can lead to the loss of data, integrity, and privacy, and can allow attackers to gain privileges and hide from traditional security controls.
Follow us on Twitter, Linkedin, Facebook for Daily cyber security & hacking news updates.
Also Read: Most Important Network Penetration Testing Checklist
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…