Millions of Windows & Linux Systems are Vulnerable to Remote Hack that Manufactured by Lenovo, Dell, HP and Others

Researchers discovered multiple unsigned firmware in various system components such as WiFi adapters, USB hubs, trackpads, and cameras used in Lenovo, Dell, HP and other major manufacturers.

The flaws existing in these components allowed the attackers to compromise millions of Windows and Linux systems, and exfiltrate the data, disrupt the operation also implant the malware.

Once firmware components are infected, it allowed attackers to implant malware that stays undetected by any software security controls.

The primary issue in the flaw is that many of the peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code. 

It means these above list components have no way to validate that the firmware loaded by the device is properly authenticated and trusted.

It can be taking advantage of the attacker and simply insert a malicious or vulnerable firmware image that eventually trusted by the component blindly and let it run on the device.

In results, Unsigned firmware in wifi adapters, USB hubs, trackpads, laptop cameras and network interface cards provides multiple pathways for malicious attackers to compromise laptops and servers.

Researchers explain the following very simple and powerful scenario for an attack:

  1. An attacker gains access to a device via any method, such as malware delivered via email or a malicious website, or an evil maid attack. With basic user privileges, the attacker/malware could write malicious firmware to a vulnerable component.
  2. If the component doesn’t require the firmware to be properly signed, the attacker’s code is loaded and run by the component.
  3. The attacker can then use the unique functionality and privileges of that component to further an attack.

For example, If the malicious firmware implant in the network adaptor, it allows attackers to sniff, copy, redirect, or alter traffic leading to a loss of data, man-in-the-middle and other attacks. 

Insecure Firmware In Peripherals

Researchers from Eclypsium explains some of the vulnerable firmware in various computer brands such as Lenovo, Dell and USB adapter.

Touchpad and TrackPoint Firmware in Lenovo Laptops:

Researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop that used the following firmware.

  • Touchpad Firmware: pr2812761-tm3288-011-0808.img
  • TrackPoint Firmware: PSG5E5_RANKA_fv06.bin

Both firmware contains an insecure update mechanism, and it doesn’t require any cryptographic signature verification before applied the firmware update.

It potentially allowed attackers to modify the firmware images through software to run arbitrary malicious code within these components.

HP Wide Vision FHD Camera Firmware in HP Laptops:-

A firmware update distributed by HP components was unencrypted and lacked authenticity checks.

Also, these firmware doesn’t contains any form of cryptographic signature or other authenticity information. 

“Researchers confirmed this vulnerability by modifying USB descriptors on a device that was updated with the tool. Of particular note, the SunplusIT firmware updater can successfully update a device even as a normal user. Firmware updates should require Administrator access.”

WiFi Adapter on Dell XPS Laptop:-

During this research, experts demonstrate the flaw that allows modifying the firmware of the WiFi adapter on a Dell XPS 15 9560 laptops running Windows 10.

In this above image, the firmware image for the WiFi adapter is correctly signed by the drivers and also it displayed the small certificate icon.

Once researchers modified the firmware image for the Wifi adapter, the certificate icon is gone way.

Demonstration:

Researchers tested the unsigned firmware in a network interface card (NIC) chipset, in which specifically the Broadcom BCM5719 chipset in the NIC was used in this demonstration, and is commonly used in current-generation servers from multiple manufacturers.

In this demonstration, researchers intercept the contents of BMC network packets, provide those contents to malware running on the host and also they were able to modify BMC traffic online.

A malicious attack on a NIC can have a profound impact on the server, compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware.

These critical flaws clearly indicate that unsigned firmware can lead to the loss of data, integrity, and privacy, and can allow attackers to gain privileges and hide from traditional security controls.

Follow us on TwitterLinkedinFacebook for Daily cyber security & hacking news updates.

Also Read: Most Important Network Penetration Testing Checklist

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago