The software that acts as the interface between a computer and its various hardware components can be turned into an espionage-focused implant because the companies that make the components often fail to create a secure mechanism of updating the code, Eclypsium stated in an analysis released today.
In its report, the enterprise firmware security company found that major turnkey design and manufacturing firms that supply components — such as Wi-Fi adapters, USB hubs, trackpads, and cameras — failed to sign their firmware, opening up the possibility that an attacker could replace the hardware code with a malicious version that could be used to spy on and control the compromised system. The company found devices that lacked signed firmware on Lenovo, Dell, and HP laptops, as well as unsigned firmware files on a portal from which computer users can download updates.
The findings are not surprising, says Jesse Michael, principal researcher at Eclypsium. In a standard laptop or workstation, more than a dozen different devices could be running firmware, and in a server more than 100.
"If you buy a laptop or a server from a big name company ... they all have a variety of different suppliers for the lower-level components, such as the network card or a webcam or a touchpad," he says. "While the brand-name computer makers have been looking at software security for a while, the smaller companies [that make these subsystems] have not — most of the devices in these systems do not have signed updates."
The research underscores that, despite the light shed on the technique by the leak of documents from the National Security Agency by former contractor Edward Snowden, few companies have created a secure supply chain for attesting that the firmware updates are official. While many software makers have improved the security of their development life cycles by using code-signing certificates to authenticate updates before they are applied, the original design manufacturers (ODM) that design, program, and produce subsystems for computer manufacturers often fail to take similar steps for the software that acts as the interface between hardware subsystems — such as network adapters, trackpads, and cameras — and the main computer system.
"Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware," the company stated in the report.
The company found, for example, that Synaptics — which provides trackpads for many laptops — did not verify the cryptographic signature before applying a firmware update, allowing the researchers to run arbitrary malicious code on a Lenovo laptop, turning the subsystem into a Trojan.
In another proof-of-concept attack, the researchers modified the firmware of a Wi-Fi adapter running on a Dell laptop. Windows 10 will check to see whether the driver for the network adapter, a device made by Killer Wireless, is signed, and if it is not, it will display it without a certificate icon but will otherwise continue to load the software and use the malicious firmware.
The main benefit to an attacker of compromising the firmware is that a subverted device could be used to reload malware, if an antivirus scanner, for example, detects and cleans the attacking code from the hard drive. "You have a good place for persistence," Michael says. "It is a good place to hide in the system."
Yet specific devices could also grant the attacker other benefits if they are compromised. A network adapter, for example, could allow the intruder to capture communications or send and receive commands covertly. In another proof-of-concept attack, the researchers updated the firmware used by a server's Broadcom baseboard management controller (BMC) to invisibly tap into the system's network communications and create a covert channel.
"Using this approach, we can inspect the contents of BMC network packets, provide those contents to malware running on the host, or even modify BMC traffic on the fly," the researchers wrote. "This could also be used to block alerts sent from the BMC to a central logging server, selectively redirect them to a different server, copy and send traffic to a remote location for analysis, as well as make outgoing network connections to a remote command and control server directly from the NIC itself without the host or BMC being aware that any of this is happening."
Because such changes are invisible to the host operating system, host-based security products will not detect such a compromise. While there are products to detect firmware changes, the best approach for the industry is to put additional pressure on their suppliers, the original equipment manufacturers (OEMs), giving them more clout with the maker of the subsystems, Michael says.
"The OEMs are at the mercy of the ODMs to some degree," he says. "Individually, they only have a limited amount of buying power. By having more customers and organizations aware that there is an issue, they can bring more pressure to fix this problem."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Things Users Do That Make Security Pros Miserable."Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio