Millions of Dell, HP, and Lenovo PCs sitting ducks for firmware attacks

Millions of Dell, HP, and Lenovo PCs sitting ducks for firmware attacks

"Millions" of notebook and desktop PCs manufactured by Dell, HP, Lenovo, and others because of insecure firmware used in webcams, trackpads, USB hubs, Wi-Fi cards, and other third-party peripherals built into the PC, vulnerable to attack.

This is according to a report today (February 18) from Oregon security firm Eclypsium, which says that peripherals are often sitting ducks for malware that can modify their firmware and create backdoors into computers.

"When the firmware of these components is infected using the problems we have described, the malware remains undetected by software security controls. These weaknesses are spread across laptop and server components, providing multiple pathways for malicious attacks."

Unfortunately, many of these firmware problems cannot be fixed with an update. And computer manufacturers, peripheral manufacturers, and operating system manufacturers often shift the blame for who should be responsible for these problems, leaving computer users in the dark.

If you are using a vulnerable machine (and likely you are), the safest course of action is to install and run the best antivirus software available to catch malware that attempts to modify the firmware of your peripherals. Antivirus software should scan USB drives as soon as they are plugged in.

Models that have proven vulnerable to these peripheral firmware flaws include:

Lenovo told Eclypsium that there is no way to fix the trackpad issue in current laptops. The only way is to coexist with a vulnerable trackpad.

HP has created a patch to fix the webcam vulnerability, which can be downloaded from HP's support site.

As for Dell's Wi-Fi chipset, Eclypsium has notified both Microsoft and Qualcomm.

Eclypsium wryly noted that "responsibility remains unclear and, as we have seen, is often not fully addressed."

"Unfortunately, the problems posed by unsigned firmware are not easily solved. If a component is not designed to check for signed firmware, it often cannot be fixed with a firmware update."

"Often the underlying problem with a device or product line cannot be fixed at all.

Of course, these are just specific models that Eclypsium happened to examine. Dozens or hundreds of other devices use at least one of these components. For example, according to our colleagues at Laptop Magazine, the current Dell XPS 13 laptop also uses these Wi-Fi cards. [Virtually every component in the device, including network adapters, graphics cards, USB devices, cameras, touchpads and trackpads, have their own firmware and their own risk potential," Eclypsium said in the report. . Peripheral devices often lack the security best practices that are taken for granted in operating systems and other visible components such as UEFI and BIOS."

"These components have no way to verify that the firmware loaded by the device is genuine and to be trusted. An attacker can simply insert a malicious or vulnerable firmware image, which the component will blindly trust and execute.

Weaknesses in the peripherals problem are not only academic: in 2015, the Russian antivirus company Kaspersky reported that computer hard drives, including drives made by IBM, Maxtor, Seagate, Toshiba, and Western Digital It publicized the existence of malware that modifies firmware, allowing attackers to build silent backdoors into computers.

The malware was part of a larger constellation of hacking tools that Kasperksy attributed to the Equation Group, which is a highly skilled and long-standing national support team that develops malicious code The Equation Group was one of the highly skilled and long-standing state-sponsored teams developing the malicious code. Kaspersky called the hard drive reprogrammer "perhaps the most powerful tool in the Equation Group's arsenal."

"This is a remarkable technological achievement and a testament to the group's capabilities," Kaspersky added in a 2015 report.

Although Kaspersky has a policy of not attributing malware to any particular nation, it is widely believed that the Equation Group works for or is an active part of the US National Security Agency.

"After the Equation Group's drive implants were exposed, many HDD and SSD vendors made changes to ensure that their components only accepted valid firmware. However, many other peripheral components have yet to follow suit.

Microsoft can harden Windows and Linux developers can harden Linux against malware, but improvements in operating systems will do little to stop other lines of attack through the hundreds of third-party peripherals built into laptops and desktops. It will not do much to stop them.

The question is who should be held accountable: the peripheral manufacturers, the manufacturers of the computers that purchase and use the peripherals, or the OS manufacturers; Eclypsium does not have an answer, but it puts the blame on the peripheral manufacturers. [Peripheral manufacturers have been slow to adopt the practice of signing firmware.

Notice that Eclypsium does not mention Macs. That is because, according to the report, "Apple performs signature verification on all files in the driver package, including firmware, every time before they are loaded onto the device" to mitigate this type of attack.14]

"Windows and Linux, in contrast , perform this type of verification only when the package is first installed."

The report adds.

There is a simple explanation for this security gap: Apple manufactures both hardware and software and has a vested interest in making sure they complement each other perfectly.

However, Microsoft makes only a few devices that run Windows, and Linux coders and distributors generally make no hardware at all. Both of these OSes must run on thousands of different hardware configurations and cannot be expected to secure the firmware of as many potential peripherals.

Eclypsium hints that computer manufacturers may have to take over where peripheral manufacturers have neglected.

"Ultimately, before allowing firmware updates, the devices themselves need to perform signature verification, rather than relying on the operating system to perform this task.

.

Categories