Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks

Peripheral devices with unsigned firmware can expose Windows and Linux machines to attacks, allowing hackers to install stealthy and persistent malware, steal valuable information, or take control of a computer.

Peripheral devices with unsigned firmware can expose Windows and Linux machines to attacks, allowing hackers to install stealthy and persistent malware, steal valuable information, or take control of a computer.

Researchers at firmware security company Eclypsium have discovered that many peripheral device manufacturers have not implemented checks to ensure that the firmware running on their products comes from a trusted source. This can make it easy for malicious actors to install their own firmware on a device and abuse it for various purposes, and in many cases conducting an attack does not require special privileges.

Attacks can be launched against both Windows and Linux computers, including laptops and servers.

“Many peripheral devices do not verify that firmware is properly signed with a high quality public/private key before running the code. This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted,” Eclypsium wrote in a blog post published on Tuesday. “An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.”

Peripheral devices vulnerable to firmware attacks

For example, an attacker can plant malicious firmware on a network adapter to intercept or alter traffic, and a compromised PCI device can be abused for DMA attacks, which can allow an attacker to take complete control of the targeted system. Attackers could also target cameras to spy on users, and a hard drive running malicious firmware can enable an attacker to hide malware.

It’s worth noting that some of these attacks are not just theoretical. The NSA-linked threat actor tracked as the Equation Group, for instance, has been known to target the firmware on hard drives.

Eclypsium has identified insecure firmware on touchpad and TrackPoint firmware used in Lenovo laptops, the HP Wide Vision FHD (Sunplus) camera on an HP laptop, the WiFi adapter on a Dell XPS laptop, and a VLI USB hub.

The company has published a blog post summarizing its findings and a video that shows an attack targeting unsigned firmware on a network interface card (NIC), specifically its Broadcom chipset.

Advertisement. Scroll to continue reading.

“A malicious attack on a NIC can have a profound impact on the server, compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware. Such an attack could disconnect a server from a network upon a signal, disrupting connectivity for an entire data center,” Eclypsium researchers explained.

In the first phase of the attack, the attacker delivers a piece of malware to the targeted machine via email, a malicious website or an evil maid attack. The malware can then load the attacker’s firmware onto a peripheral device.

Installing malicious firmware on these types of devices can often be done by abusing legitimate firmware update tools.

Jesse Michael, principal researcher at Eclypsium, told SecurityWeek that if these firmware update tools are not present on the compromised machine, attackers can bring the tools themselves. Furthermore, since these utilities are typically signed by Microsoft or device manufacturers, it makes it easier for the attacker to trick the victim into executing them.

As for the permissions needed to execute an attack and its technical difficulty, these factors depend on the specific device. For example, Michael said, the Sunplus webcam firmware can be updated by an unprivileged user without the need for elevated permissions.

“Regarding the difficulty of attack, some devices use well-known processor architectures such as ARM and are easy to understand and work with. Others use more obscure, proprietary chipsets which will require custom tools and more initial analysis when creating malicious firmware. However, once the target and update mechanisms are understood, it’s often relatively straightforward to install the malicious firmware on either class of device,” Michael explained.

Eclypsium has pointed out that Apple devices mitigate the threat by verifying the signature of the files in a driver package, including the firmware, every time it’s loaded on a device. However, on Linux and Windows it’s up to the peripheral device, not the operating system, to check the firmware signature before an update.

Related: USBAnywhere: BMC Flaws Expose Supermicro Servers to Remote Attacks

Related: Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware

Related: BMC Firmware Vulnerabilities Affect Lenovo, Gigabyte Servers

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.