Unsigned firmware exposes millions of Lenovo, Dell and HP PCs to attacks

Security researchers have found multiple PC and laptop components that don’t require cryptographically signed updates are putting millions of Linux and Windows machines to attacks.   

Tortoise-defense formation of the Spartans  >  warfare / war games / red team binary target / attack
Thinkstock

Security researchers have found multiple PC and laptop components that don’t require cryptographically signed updates are putting millions of Linux and Windows machines to attacks.   

HP today disclosed multiple vulnerabilities in its HP Wide Vision FHD Camera firmware that could allow an attacker to modify a laptop’s camera behavior with unsigned firmware. 

HP has detailed mitigations for the firmware bugs affecting the HP Spectre 13 x360 13-ap0xxx convertible laptop, which was just one of several laptop models suffering similar firmware problems in hardware from HP, Lenovo and Dell. 

US cybersecurity outfit Eclypsium disclosed the bugs today as part of its research to highlight the risks of unsigned firmware in hardware components beyond the motherboard, like WiFi adapters, USB hubs, trackpads, and cameras found on equipment from the world’s top three PC and server brands.

The bugs leave enterprise and consumer customers exposed to firmware bugs that attackers can use to steal data, cripple networks or install ransomware. 

Eclypsium’s research draws attention to the security of firmware for peripheral components as opposed to vulnerabilities in primary system firmware, such as UEFI or the legacy BIOS firmware on the motherboard, which are generally under watch by hardware vendors.

But a potential blindspot is the firmware for peripheral components like network interface cards, graphics cards, USB devices, storage drives, cameras, touchpads, trackpads and so on — all the way down to power management and supply firmware. 

To highlight the potential for abuse of peripheral firmware flaws, the company points to the work of the Equation Group, which is thought to be part of the National Security Agency’s elite Tailored Access Operations hacking unit. 

Specifically, it points out that PC makers often don’t cryptographically sign the firmware installed on hard disk drives, allowing skilled attackers like the Equation Group to switch firmware at a layer  below the view of antivirus software.

“Our research shows that much of the industry continues to turn a blind eye to the risks of unsigned firmware. In four separate new pieces of research we found unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras in a variety of enterprise devices,” wrote Eclypsium researchers Jesse Michael and Rick Altherr. 

In short, if a vendor doesn’t require that a component’s firmware is cryptographically signed, an attacker can use methods to install and run their own code to control the component, potentially exposing the system to a broader breach. 

Each peripheral that doesn’t demand properly signed firmware carries its own risks. The camera could be used to snap images visible from a laptop, while a network adapter could let an attacker observe and manipulate network traffic. 

Another PC model Eclypsium found vulnerable peripherals in was Lenovo’s ThinkPad X1 Carbon 6th Gen laptop, which didn’t require cryptographic signature verification for firmware to be installed to a touchpad component supplied by third-party touchpad maker Synaptics. This means other Lenovo models and likely other brands have the same vulnerability. 

In the case of HP, Eclypsium found that HP wasn’t encrypting the firmware update and that it lacked integrity checks, potential allowing malicious firmware to modify USB behavior from within HP’s update tool. An attacker could use this to make the camera to appear to the system as another type of USB device. 

Finally, the group found an attacker could modify the firmware of the wi-fi adapter — a Qualcomm-made component called “Killer Wireless-n/a/ac 1535” — on a Windows 10 Dell XPS 15 9560 laptop. 

Given the multi-party supply chain behind PCs, it’s not always clear who has responsibility for validating the authenticity and safety of firmware updates. While Qualcomm provides the chipset and driver, Microsoft — through Windows 10 — checks that drivers are signed. 

“Qualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware. They stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device,” wrote the Eclypsium researchers. 

Related:

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies