Driver Disaster: Over 40 Signed Drivers Can’t Pass Security Muster

Dozens of insecure drivers from 20 vendors illustrate widespread weaknesses when it comes to kernel protection.

LAS VEGAS – An insecure driver can be just what a hacker needs to get its foot in the door to a Windows environment. Compromised drivers are at the heart of massive security headaches ranging from recent Slingshot APT campaigns and LoJax malware. That’s why researchers at Eclypsium are sounding the alarm over what it sees as a dire security problem of insecure drivers digitally signed by reputable firms such as Microsoft.

At a session here at DEF CON on Saturday, Eclypsium’s principal researcher Mickey Shkatov was joined by researcher Jesse Michael and both shed light on research that showed that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – all drivers being certified by Microsoft.

“These vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources and move an attacker from user mode to OS kernel mode,” researchers noted. They added that the vulnerabilities are widespread, impacting major BIOS vendors, as well as hardware sold by ASUS, Toshiba, NVIDIA and Huawei.

Researchers said they first pinpointed the issue in April when they culled 40 insecure drivers representing 20 vendors. They then gave offending companies a 90-day window to mitigate the issues. All 40 drivers are unique and 64-bit and signed by two separate vendors, researchers said.

“Some of the most dangerous [insecure driver attack scenarios] are arbitrary read/write of kernel memory, arbitrary read/write of model specific registers (MSRs), and arbitrary read and write of physical memory as these can all be used to achieve arbitrary code execution within the Windows kernel,” researchers told Threatpost.

Shkatov added that arbitrary hardware access via an insecure driver can allow malicious modification of firmware components, resulting in persistent subversion of existing Windows AV protection. Such was the case in March when Huawei MateBook systems included a rogue driver that let unprivileged users create processes with superuser privileges.

What researchers said makes this problem particularly menacing is the assumption that firms such as Microsoft have their back when it comes to insecure drivers. “Vendors think Microsoft is looking for this and they’re not, and Microsoft thinks vendors are delivering secure code. No one is taking ownership of this issue,” Shkatov told Threatpost.

Public exploits of insecure drivers mentioned in the talk include an ASUS driver elevation of privilege vulnerability, a MSI local privilege escalation and another privilege escalation flaw found in Gigabyte hardware.

Why are there so many insecure drivers? “This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it’s written in a flexible way to just perform arbitrary actions on behalf of userspace.  It’s easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation,” the researcher said.

They also stress that just because a driver is signed and certified does not mean it is safe.

“It is of particular concern that the drivers in question were not rogue or unsanctioned – in fact, just the opposite. All the drivers come from trusted third-party vendors, signed by valid certificate authorities, and certified by Microsoft,” they said.

Both Michael and Shkatov said the antidote is that Microsoft step up and take action by blacklisting insecure drivers in Windows for all users or specific CPU generations.

“We hope that the same actions that they took for the vulnerable Capcom driver can be taken with this batch of drivers we found,” Shkatov said.

Game maker Capcom released the popular Street Fighter V for PCs in 2016 with a secret rootkit that gave any installed application kernel-level privileges. It should also be noted, in the case of the Huawei MateBook systems, it was Microsoft that found the bad driver that opened systems to attack.

As part of their research, Michael and Shkatov published a report on their findings that included a partial list of affected vendors mentioned in their research:

  • American Megatrends International (AMI)
  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles


  • Maneno gus on

    I had dell laptop, it was completely overtaken by the hacker remotely, the Bios had been modify by unknown online administrators and my pc joined a domain, even if I installed new window, one user was set download the drivers automatically and before I know, Trojan is back in the new window I just installed, the problems don't stop there, if I buy new pc and set, the default migration setting in dell laptop will be transferred in the new laptop automatically, it put me off window. I eventually found where the problems is, the hacker uses legitimate Microsoft settings, nothing can be detected here because window NT is legitimate, Loophole is in window NT-AUTHORITY. I discover that, in window firewall, the kacker is able to manipulate the highest privileges and take over the pc. these is the the SID S-1-5-21-3149778896-3591747328-1830178181-500 SID S-1-5-21-38725268-39301034-1469234959-1000 These SID May be real but they are the users with the highest privilege using account unknown, the administrators online, write/read built in principle, WFD Driver-only (TCP-in) in allowed in window firewall. WFD Driver -only (UDP-in) allowed in These users is build in local principal connect to remotely, download drivers and including Trojan it is set to log in automatically the moment I manually log in, it will take over the local account if I log in as administrator, even if I log in Microsoft account, it will still take over, and all the time the warning from Microsoft saying account problem, log in, the warning keeps saying, before you know, you don't have permission in your own pc. The worst things it will now start disabling/ blocking/deleting all the good Drivers replacing it and change the pc setting, and services, it can even create completely new window with update block by default in the registry, disabling all the intel drivers and block download. I notice my new Lenovo was giving me warning that Bios update needed, but the update can't be downloaded, it failed all the time and intel system checker can't be install, the new pc was not stable, I reseted the pc, I switch of the router and set pc offline, I open firewall, I used to block window NT-AUTHORITY settings but now I set myself in all these SID in local principle including window NT everywhere in local principle including Your account,Your phone,work or school account, workstation, it is a success, I open lenovo vantage and updated the Bios, and the intel assistant run and it scan my Pc, it updated the 7 drivers, this real loophole is existing right now. if anybody want to find out how this real bring me new laptop I set the window only and you will see how the hacker overtake that pc with no time, it got me in memory, I thew away that dell laptop but the setting will comeback in any new pc I tried using.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.