You likely protect your computers, network, software, and other obvious assets with the necessary security defenses. But there’s one element in many devices that isn’t as apparent or as visible: firmware. Depending on the device, firmware may be stored in a circuit or flash memory, or it may be supplied by the operating system when you boot up.
However it manifests itself, firmware can be vulnerable to security threats if it’s unsigned, meaning not secured by the device maker. A report released Tuesday by Eclypsium details the risks involved in using devices with unsigned firmware.
As described in the report, Perilous Peripherals: The Hidden Dangers. Inside Windows & Linux Computers, Eclypsium analyzed unsigned firmware on different devices, including WiFi adapters, USB hubs, trackpads, and cameras used in Windows and Linux computers from Lenovo, Dell, HP, and other manufacturers. The researchers were able to stage a successful malware infection on a server with a network card that had unsigned firmware.
In the real world, a hacker could compromise unsigned firmware to launch different types of attacks, according to Eclypsium.
Infected firmware on a network adapter could let an attacker sniff, copy, or alter network traffic, prompting data loss and man-in-the-middle attacks. PCI-based devices could allow Direct Memory Access (DMA) attacks that would help hackers steal data or take over the system. Cameras with infected firmware could capture data from the user’s environment. And a hard drive with compromised firmware could allow the attacker to hide code unseen by the operating system.
The issue is compounded because each device might contain many different components, and each component could have its own firmware. That presents several vulnerable areas on a single device.
Five years ago, security firm Kaspersky brought to light the dangers of unsigned firmware by describing the activities of a cyberattack group called the Equation Group. By accessing the source code of certain hard drives, the group was able to launch malware that could reprogram the firmware of those drives. Since then, however, device makers have been slow to properly sign and secure their firmware, Eclypsium said in its report.
The weakness here is that many devices don’t verify that their firmware is properly signed with a high quality public or private key before running their code. As such, the devices have no way to confirm that the firmware is legitimate and should be trusted. That means a hacker could apply a malicious firmware image that the device or a specific component on the device would automatically trust. And since firmware typically stays hidden, any such infections would remain undetected.
The trouble is specific to Windows and Linux systems. Apple verifies signatures on all files in a driver package, including firmware, each time before they’re loaded. But Windows and Linux perform this type of verification only when the package is initially installed. To fully guard against this kind of attack, the device itself needs to verify the signature before allowing a firmware update rather than rely on the operating system to do the job.
Potentially, tens of millions or hundreds of millions systems have unsigned firmware components, according to Eclypsium. And it will take some time before the industry catches up to the problem.
“Unfortunately, this issue will be around for quite a while ,and we’ll most likely see improvements in next-gen products, but this will not happen all at once,” said Jesse Michael, principal researcher at Eclypsium. “As an industry, we need to pay more attention to hardware and firmware security. Protecting users from the dangers of unsigned firmware will require work by vendors throughout the industry. Specifically, the OEMs and ODMs need to work together to fix these issues. By including these types of issues in their risk assessments, organizations can make informed decisions on which peripherals/products are secure and which are not.”
There aren’t any specific security tools that can help users look for unsigned firmware issues. But organizations can take some measures to protect themselves from this type of vulnerability.
“If you work for a larger organization with sensitive data or infrastructure to protect, talk to your security team,” said Rick Altherr, principal engineer for Eclypsium. “Ensure they are aware of the risks of unsigned firmware and are including signed firmware as part of the selection criteria for purchasing decisions. Doing so sends a clear signal to computer manufacturers that signed firmware is a customer requirement and necessary for future product offerings.”