- Hardware makers' unsafe firmware upgrade practices were again exposed by the Eclypsium researchers.
- Many big names in the industry are not using firmware validation, so attackers could plant their own version anytime.
- The only companies that have complied with guidelines on proper security practices are HDD and SSD makers.
Firmware is a special kind of software that users cannot touch, change, or upgrade (except for some rare cases). It sits inside our computer chips, taking care of low-level device control stuff, while it also constitutes a security liability for those who know how to exploit it. Between 2015 and 2016, a group of developers known as "Equation Group" produced a trojan that they could plant inside hard disk drive firmware, and that enabled them to retrieve any data from the device (even deleted files) long after discarding. Later, when Kaspersky Lab proved that the Equation Group had ties with the NSA, the whole world was socked. Hardware vendors promised to implement better supply chain protection measures, and the subject was closed.
Eclypsium recently decided to revisit the situation and see if the firmware used in today’s electronics is any better than it was five years ago. What they found isn’t very encouraging. More specifically, they have found a plethora of devices using unsigned firmware. This means that the users can’t tell if it comes from a trustworthy vendor or a malicious third party. The types of devices that demonstrate this risky behavior include WiFi adapters, USB hubs, trackpads, laptop cameras, and network interface cards.
Examples come from across the whole industry: the TouchPad and TrackPoint firmware found in various Lenovo laptops and the firmware that controls the cameras in HP laptops. Also, the WiFi adapter on the Dell XPS laptop range, and even USB hubs using firmware sources by the Linux Vendor Firmware Service. Interestingly, HDD and SSD manufacturers have incorporated safer firmware upgrading methods. Of course, this is the direct result of the 2015 attacks. The rest of the industry, though, hasn’t taken note of what happened back then.
In the video below, the Eclypsium team demonstrates the possibility of intercepting BMC traffic after planting a malicious firmware version on the target device. If it doesn’t require any form of validation, which is still the case, as we saw, the attackers can load any code they want onto the component, and have it run without restrictions. Because the firmware runs at such a low and fundamental level, a skillful attacker could potentially deepen their infiltration on a system by overriding or setting aside all protections that are active on the higher level. This includes anti-virus and anti-malware solutions and even firewalls.