Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/18/2020
09:00 AM
50%
50%

Firmware Weaknesses Can Turn Computer Subsystems into Trojans

Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants.

The software that acts as the interface between a computer and its various hardware components can be turned into an espionage-focused implant because the companies that make the components often fail to create a secure mechanism of updating the code, Eclypsium stated in an analysis released today.

In its report, the enterprise firmware security company found that major turnkey design and manufacturing firms that supply components — such as Wi-Fi adapters, USB hubs, trackpads, and cameras — failed to sign their firmware, opening up the possibility that an attacker could replace the hardware code with a malicious version that could be used to spy on and control the compromised system. The company found devices that lacked signed firmware on Lenovo, Dell, and HP laptops, as well as unsigned firmware files on a portal from which computer users can download updates.

The findings are not surprising, says Jesse Michael, principal researcher at Eclypsium. In a standard laptop or workstation, more than a dozen different devices could be running firmware, and in a server more than 100.

"If you buy a laptop or a server from a big name company ... they all have a variety of different suppliers for the lower-level components, such as the network card or a webcam or a touchpad," he says. "While the brand-name computer makers have been looking at software security for a while, the smaller companies [that make these subsystems] have not — most of the devices in these systems do not have signed updates."

The research underscores that, despite the light shed on the technique by the leak of documents from the National Security Agency by former contractor Edward Snowden, few companies have created a secure supply chain for attesting that the firmware updates are official. While many software makers have improved the security of their development life cycles by using code-signing certificates to authenticate updates before they are applied, the original design manufacturers (ODM) that design, program, and produce subsystems for computer manufacturers often fail to take similar steps for the software that acts as the interface between hardware subsystems — such as network adapters, trackpads, and cameras — and the main computer system.

"Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware," the company stated in the report.

The company found, for example, that Synaptics — which provides trackpads for many laptops — did not verify the cryptographic signature before applying a firmware update, allowing the researchers to run arbitrary malicious code on a Lenovo laptop, turning the subsystem into a Trojan.

In another proof-of-concept attack, the researchers modified the firmware of a Wi-Fi adapter running on a Dell laptop. Windows 10 will check to see whether the driver for the network adapter, a device made by Killer Wireless, is signed, and if it is not, it will display it without a certificate icon but will otherwise continue to load the software and use the malicious firmware.

The main benefit to an attacker of compromising the firmware is that a subverted device could be used to reload malware, if an antivirus scanner, for example, detects and cleans the attacking code from the hard drive. "You have a good place for persistence," Michael says. "It is a good place to hide in the system."

Yet specific devices could also grant the attacker other benefits if they are compromised. A network adapter, for example, could allow the intruder to capture communications or send and receive commands covertly. In another proof-of-concept attack, the researchers updated the firmware used by a server's Broadcom baseboard management controller (BMC) to invisibly tap into the system's network communications and create a covert channel. 

"Using this approach, we can inspect the contents of BMC network packets, provide those contents to malware running on the host, or even modify BMC traffic on the fly," the researchers wrote. "This could also be used to block alerts sent from the BMC to a central logging server, selectively redirect them to a different server, copy and send traffic to a remote location for analysis, as well as make outgoing network connections to a remote command and control server directly from the NIC itself without the host or BMC being aware that any of this is happening."

Because such changes are invisible to the host operating system, host-based security products will not detect such a compromise. While there are products to detect firmware changes, the best approach for the industry is to put additional pressure on their suppliers, the original equipment manufacturers (OEMs), giving them more clout with the maker of the subsystems, Michael says.

"The OEMs are at the mercy of the ODMs to some degree," he says. "Individually, they only have a limited amount of buying power. By having more customers and organizations aware that there is an issue, they can bring more pressure to fix this problem."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Things Users Do That Make Security Pros Miserable."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13643
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-13644
PUBLISHED: 2020-05-28
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accord...
CVE-2020-13641
PUBLISHED: 2020-05-28
An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allow...
CVE-2020-13642
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-8603
PUBLISHED: 2020-05-27
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or ...