Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM

Firmware Weaknesses Can Turn Computer Subsystems into Trojans

Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants.

The software that acts as the interface between a computer and its various hardware components can be turned into an espionage-focused implant because the companies that make the components often fail to create a secure mechanism of updating the code, Eclypsium stated in an analysis released today.

In its report, the enterprise firmware security company found that major turnkey design and manufacturing firms that supply components — such as Wi-Fi adapters, USB hubs, trackpads, and cameras — failed to sign their firmware, opening up the possibility that an attacker could replace the hardware code with a malicious version that could be used to spy on and control the compromised system. The company found devices that lacked signed firmware on Lenovo, Dell, and HP laptops, as well as unsigned firmware files on a portal from which computer users can download updates.

The findings are not surprising, says Jesse Michael, principal researcher at Eclypsium. In a standard laptop or workstation, more than a dozen different devices could be running firmware, and in a server more than 100.

"If you buy a laptop or a server from a big name company ... they all have a variety of different suppliers for the lower-level components, such as the network card or a webcam or a touchpad," he says. "While the brand-name computer makers have been looking at software security for a while, the smaller companies [that make these subsystems] have not — most of the devices in these systems do not have signed updates."

The research underscores that, despite the light shed on the technique by the leak of documents from the National Security Agency by former contractor Edward Snowden, few companies have created a secure supply chain for attesting that the firmware updates are official. While many software makers have improved the security of their development life cycles by using code-signing certificates to authenticate updates before they are applied, the original design manufacturers (ODM) that design, program, and produce subsystems for computer manufacturers often fail to take similar steps for the software that acts as the interface between hardware subsystems — such as network adapters, trackpads, and cameras — and the main computer system.

"Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware," the company stated in the report.

The company found, for example, that Synaptics — which provides trackpads for many laptops — did not verify the cryptographic signature before applying a firmware update, allowing the researchers to run arbitrary malicious code on a Lenovo laptop, turning the subsystem into a Trojan.

In another proof-of-concept attack, the researchers modified the firmware of a Wi-Fi adapter running on a Dell laptop. Windows 10 will check to see whether the driver for the network adapter, a device made by Killer Wireless, is signed, and if it is not, it will display it without a certificate icon but will otherwise continue to load the software and use the malicious firmware.

The main benefit to an attacker of compromising the firmware is that a subverted device could be used to reload malware, if an antivirus scanner, for example, detects and cleans the attacking code from the hard drive. "You have a good place for persistence," Michael says. "It is a good place to hide in the system."

Yet specific devices could also grant the attacker other benefits if they are compromised. A network adapter, for example, could allow the intruder to capture communications or send and receive commands covertly. In another proof-of-concept attack, the researchers updated the firmware used by a server's Broadcom baseboard management controller (BMC) to invisibly tap into the system's network communications and create a covert channel. 

"Using this approach, we can inspect the contents of BMC network packets, provide those contents to malware running on the host, or even modify BMC traffic on the fly," the researchers wrote. "This could also be used to block alerts sent from the BMC to a central logging server, selectively redirect them to a different server, copy and send traffic to a remote location for analysis, as well as make outgoing network connections to a remote command and control server directly from the NIC itself without the host or BMC being aware that any of this is happening."

Because such changes are invisible to the host operating system, host-based security products will not detect such a compromise. While there are products to detect firmware changes, the best approach for the industry is to put additional pressure on their suppliers, the original equipment manufacturers (OEMs), giving them more clout with the maker of the subsystems, Michael says.

"The OEMs are at the mercy of the ODMs to some degree," he says. "Individually, they only have a limited amount of buying power. By having more customers and organizations aware that there is an issue, they can bring more pressure to fix this problem."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Things Users Do That Make Security Pros Miserable."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.