Millions of Windows and Linux systems are vulnerable to attacks because of unsigned firmware, according to a new report (opens in new tab) from the security research group Eclypsium.
Unsigned firmware was discovered in Wi-Fi adapters, USB hubs, touchpads and cameras used in computers made by Dell, Lenovo, HP and other laptop vendors. Those unprotected devices, often made by smaller part suppliers, are included on some of the most popular and best laptops, including the Lenovo ThinkPad X1 Carbon, HP Spectre x360 and Dell XPS 15.
Malware that burrows its way into peripherals via unsigned firmware can disable devices, steal data and launch ransomware attacks. Worse yet, when the unprotected firmware of these laptop components is infiltrated, the attacking malware is undetectable by antivirus software.
"Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware," Eclypsium wrote in its report.
HP, Lenovo and Dell laptops are at risk
Eclypsium found vulnerabilities in three of the top laptops on the market. Lenovo's ThinkPad X1 Carbon, which uses Synaptics touchpads, was found to use "insecure firmware update mechanisms."
"Specifically, cryptographic signature verification was not required at the device level before firmware updates were applied," the report states. "This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components."
Lenovo was notified of the issue but said it doesn't have a way to fix the problem in its current systems.
HP is equally at fault. The "HP Wide Vision FHD" webcam, made by a company named SunplusIT, in HP's flagship Spectre x360 laptop was updated with unencrypted firmware that lacked authenticity checks.
"Once additional details of the processor architecture are discovered, the camera module behavior can be altered to be malicious by implementing a USB HID device such as a Rubber Ducky (opens in new tab)," Eclypsium writes.
HP says it's working on a patch that validates firmware for future updates.
Lastly, the Killer Wi-Fi chip made by Rivet Networks and built into Dell's XPS 13 can be modified and use maliciously. The security researchers contacted multiple companies to report their findings, but the blame for these vulnerabilities was pinballed from one firm to the next.
A reoccuring problem
Firmware signatures are important because they act as digital certificates and verify that code has not been tampered with. It seems like an obvious and easy step for firmware developers to take to ensure their code is protected. But as this new report shows, this crucial step is overlooked by even the biggest manufacturers.
"Specifically, many peripheral devices do not verify that firmware is properly signed with a high quality public/private key before running the code," the report notes.
"This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run."
Eclypsium says this issue is widespread on Windows and Linux because signature verification is only performed when a package is first installed. In contrast, Apple does the check on all files in a driver package, including the firmware "each time they are loaded into the device."
Apple also makes every device its operating systems run on, which gives it an intimate understanding of how the hardware and software intersect. By comparison, Windows and Linux run on thousands of different devices.
This isn't the first time we've heard about unsigned firmware as a potential security vulnerability. In 2015, researchers at Kaspersky found malware that could rewrite HDD firmware from dozens of brands in order to plant backdoors.
The malware was supposedly created by what Kaspersky refers to as the Equation Group, which is widely assumed to be the NSA. Manufacturers quickly learned their lesson and updated their products to only accept valid HDD firmware.
We can only hope manufacturers take Eclypsium's advice seriously and ensure that its components are updated with signed code.