Peripheral devices with unsigned firmware can expose Windows and Linux machines to attacks, allowing hackers to install stealthy and persistent malware, steal valuable information, or take control of a computer.
Researchers at firmware security company Eclypsium have discovered that many peripheral device manufacturers have not implemented checks to ensure that the firmware running on their products comes from a trusted source. This can make it easy for malicious actors to install their own firmware on a device and abuse it for various purposes, and in many cases conducting an attack does not require special privileges.
Attacks can be launched against both Windows and Linux computers, including laptops and servers.
“Many peripheral devices do not verify that firmware is properly signed with a high quality public/private key before running the code. This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted,” Eclypsium wrote in a blog post published on Tuesday. “An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.”
For example, an attacker can plant malicious firmware on a network adapter to intercept or alter traffic, and a compromised PCI device can be abused for DMA attacks, which can allow an attacker to take complete control of the targeted system. Attackers could also target cameras to spy on users, and a hard drive running malicious firmware can enable an attacker to hide malware.
It’s worth noting that some of these attacks are not just theoretical. The NSA-linked threat actor tracked as the Equation Group, for instance, has been known to target the firmware on hard drives.
Eclypsium has identified insecure firmware on touchpad and TrackPoint firmware used in Lenovo laptops, the HP Wide Vision FHD (Sunplus) camera on an HP laptop, the WiFi adapter on a Dell XPS laptop, and a VLI USB hub.
“A malicious attack on a NIC can have a profound impact on the server, compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware. Such an attack could disconnect a server from a network upon a signal, disrupting connectivity for an entire data center,” Eclypsium researchers explained.
In the first phase of the attack, the attacker delivers a piece of malware to the targeted machine via email, a malicious website or an evil maid attack. The malware can then load the attacker’s firmware onto a peripheral device.
Installing malicious firmware on these types of devices can often be done by abusing legitimate firmware update tools.
Jesse Michael, principal researcher at Eclypsium, told SecurityWeek that if these firmware update tools are not present on the compromised machine, attackers can bring the tools themselves. Furthermore, since these utilities are typically signed by Microsoft or device manufacturers, it makes it easier for the attacker to trick the victim into executing them.
As for the permissions needed to execute an attack and its technical difficulty, these factors depend on the specific device. For example, Michael said, the Sunplus webcam firmware can be updated by an unprivileged user without the need for elevated permissions.
“Regarding the difficulty of attack, some devices use well-known processor architectures such as ARM and are easy to understand and work with. Others use more obscure, proprietary chipsets which will require custom tools and more initial analysis when creating malicious firmware. However, once the target and update mechanisms are understood, it’s often relatively straightforward to install the malicious firmware on either class of device,” Michael explained.
Eclypsium has pointed out that Apple devices mitigate the threat by verifying the signature of the files in a driver package, including the firmware, every time it’s loaded on a device. However, on Linux and Windows it’s up to the peripheral device, not the operating system, to check the firmware signature before an update.