Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM

Firmware Weaknesses Can Turn Computer Subsystems into Trojans

Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants.

The software that acts as the interface between a computer and its various hardware components can be turned into an espionage-focused implant because the companies that make the components often fail to create a secure mechanism of updating the code, Eclypsium stated in an analysis released today.

In its report, the enterprise firmware security company found that major turnkey design and manufacturing firms that supply components — such as Wi-Fi adapters, USB hubs, trackpads, and cameras — failed to sign their firmware, opening up the possibility that an attacker could replace the hardware code with a malicious version that could be used to spy on and control the compromised system. The company found devices that lacked signed firmware on Lenovo, Dell, and HP laptops, as well as unsigned firmware files on a portal from which computer users can download updates.

The findings are not surprising, says Jesse Michael, principal researcher at Eclypsium. In a standard laptop or workstation, more than a dozen different devices could be running firmware, and in a server more than 100.

"If you buy a laptop or a server from a big name company ... they all have a variety of different suppliers for the lower-level components, such as the network card or a webcam or a touchpad," he says. "While the brand-name computer makers have been looking at software security for a while, the smaller companies [that make these subsystems] have not — most of the devices in these systems do not have signed updates."

The research underscores that, despite the light shed on the technique by the leak of documents from the National Security Agency by former contractor Edward Snowden, few companies have created a secure supply chain for attesting that the firmware updates are official. While many software makers have improved the security of their development life cycles by using code-signing certificates to authenticate updates before they are applied, the original design manufacturers (ODM) that design, program, and produce subsystems for computer manufacturers often fail to take similar steps for the software that acts as the interface between hardware subsystems — such as network adapters, trackpads, and cameras — and the main computer system.

"Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware," the company stated in the report.

The company found, for example, that Synaptics — which provides trackpads for many laptops — did not verify the cryptographic signature before applying a firmware update, allowing the researchers to run arbitrary malicious code on a Lenovo laptop, turning the subsystem into a Trojan.

In another proof-of-concept attack, the researchers modified the firmware of a Wi-Fi adapter running on a Dell laptop. Windows 10 will check to see whether the driver for the network adapter, a device made by Killer Wireless, is signed, and if it is not, it will display it without a certificate icon but will otherwise continue to load the software and use the malicious firmware.

The main benefit to an attacker of compromising the firmware is that a subverted device could be used to reload malware, if an antivirus scanner, for example, detects and cleans the attacking code from the hard drive. "You have a good place for persistence," Michael says. "It is a good place to hide in the system."

Yet specific devices could also grant the attacker other benefits if they are compromised. A network adapter, for example, could allow the intruder to capture communications or send and receive commands covertly. In another proof-of-concept attack, the researchers updated the firmware used by a server's Broadcom baseboard management controller (BMC) to invisibly tap into the system's network communications and create a covert channel. 

"Using this approach, we can inspect the contents of BMC network packets, provide those contents to malware running on the host, or even modify BMC traffic on the fly," the researchers wrote. "This could also be used to block alerts sent from the BMC to a central logging server, selectively redirect them to a different server, copy and send traffic to a remote location for analysis, as well as make outgoing network connections to a remote command and control server directly from the NIC itself without the host or BMC being aware that any of this is happening."

Because such changes are invisible to the host operating system, host-based security products will not detect such a compromise. While there are products to detect firmware changes, the best approach for the industry is to put additional pressure on their suppliers, the original equipment manufacturers (OEMs), giving them more clout with the maker of the subsystems, Michael says.

"The OEMs are at the mercy of the ODMs to some degree," he says. "Individually, they only have a limited amount of buying power. By having more customers and organizations aware that there is an issue, they can bring more pressure to fix this problem."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Things Users Do That Make Security Pros Miserable."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...