Lack of firmware validation for computer peripherals enables highly persistent attacks

Vulnerabilities in unvalidated peripheral firmware such as WiFi adapters, cameras, and network interface controllers give attackers control over systems.

1 2 Page 2
Page 2 of 2

However, Eclypsium's new research shows that these limitations don't always apply to computer peripherals and that they can be easily overcome. Some of the firmware for these components have open-source implementations and even if they don't, there is now a wealth of public knowledge and tools for reverse engineering firmware. Malicious firmware can be flashed using publicly available manufacturer tools, some of which don't even require elevated privileges to run because in some cases end-users applications can communicate with these components as part of their normal operation. Even if administrative access is required to update firmware, privilege escalation vulnerabilities are not uncommon in operating systems and some even originate in the system drivers that these components use.

Some of the vulnerable peripherals that don't validate firmware are widely used in computers from multiple manufacturers because they're created by original design manufacturers (ODMs) that control a big share of their respective market segments.

"The bar is continuing to lower over time," Rick Altherr, principal engineer at Eclypsium, tells CSO. "Is it more challenging than developing a typical software-based malicious action in the OS? Yes, but there are different trade-offs. The main thing that you gain by going to the firmware level is persistence that is deeper than the operating system and you also gain a level of difficulty in detecting that implant or infection. So, while it's certainly more difficult to perform [a firmware attack] the actual depth of attack can be quite stronger."

"What we're seeing is a significant growth in these types of attacks as the security landscape continues to evolve, Altherr said. "As the OS mitigations for running malicious software continues to grow, there's a shift towards moving into firmware to perform similar types of actions."

Industry action needed

According to Altherr, the complex supply chain relationships between ODMs that make components and OEMs that integrate them into their end-user products such as laptops, make resolving this issue difficult. First, the Eclypsium researchers believe the signature checks should be implemented at the device level, not at the OS or driver level, so it should be the ODM's responsibility.

"You could have a privilege escalation from an administrative process into the kernel, and if the kernel is the thing that's verifying the signature before it puts firmware into the device, that's not fully secure," Jesse Michael, principal researcher at Eclypsium, tells CSO. "It really needs to be the device itself that is doing the signature verification and a number of vendors have produced more intelligent devices where they actually are doing the signature verification in the device, but a number of ODMs are not moving in that direction yet."

Altherr believes that users, both businesses and consumers, should become aware of this issue and consider it in their purchasing decisions. This would put pressure on PC makers to provide firmware validation in their products, which would in turn force component suppliers to implement such mechanisms in their devices.

"We know how to implement signed firmware updates in secure systems," Altherr says. "The primitives for doing this have been in place for a long time. They've been illustrated well in various segments. Certainly, attacks happen against them, but there's a lot of well-trodden space that shows how to do at least the basics well, and those are things that the ODMs have been reluctant to do. That's one aspect of it: Today customers aren't asking for it. So, the OEMs are saying: 'Well, nobody's asking for it. Why should I do this?'."

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline