Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.

Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium.

TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.

“Software and network vulnerabilities are often the more-obvious focus of organizations’ security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,” Katie Teitler, senior analyst at TAG Cyber, said via email. “This could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.”

Firmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable.

“Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,” explained researchers at Eclypsium, in vulnerability research released on Tuesday. “This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.”

The scenario for an attack is thus a simple one. First, an attacker gains access to a device via any method, be it physical access, malware that allows remote code execution and so on, and, with basic user privileges, the attacker can write malicious firmware to a vulnerable component. If the component doesn’t require the firmware to be properly signed, the attacker’s code is loaded. Depending on the peripheral in question, this can lead to a range of malicious activity.

“For example, malicious firmware on a network adapter could allow an attacker to sniff, copy, redirect or alter traffic leading to a loss of data, man-in-the-middle and other attacks,” according to the research. “PCI-based devices could enable Direct Memory Access (DMA) attacks that could easily steal data or take full control over the victim system. Cameras could be used to capture data from the user’s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system.”

Further, firmware attacks allow malicious activity to fly under the radar of endpoint protections; as recently seen in the latest campaigns using the RobbinHood ransomware, vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference.

Jesse Michael, principal researcher at Eclypsium, told Threatpost that the kinds of attacks that these bugs enable are not insignificant. For instance, the Black Energy attack that brought down part of the power grid in Ukraine used an unsigned firmware update to break serial-to-Ethernet adapters that were used to control relays.

“A similar incident occurred with Saudi Aramco,” he said. “This made the system much harder to bring back online.” He added that firmware-based attacks have seen a 7.5-time increase in firmware/hardware CVEs from three years ago.

Eclypsium researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop, which contains two vulnerable firmware mechanisms: Touchpad firmware (pr2812761-tm3288-011-0808.img) and TrackPoint firmware (PSG5E5_RANKA_fv06.bin).

“We discovered that the Touchpad and TrackPoint use insecure firmware update mechanisms,” according to the research. “Specifically, cryptographic signature verification was not required at the device level before firmware updates were applied. This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components.”

Meanwhile, the firmware updates distributed by HP for the HP Wide Vision FHD camera found in the HP Spectre x360 Convertible 13-ap0xxx laptop are unencrypted and lack authenticity checks, Eclypsium noted. The device’s firmware updater is composed of SunplusIT’s Windows-based firmware update tool along with the firmware image, and both have issues.

“The firmware image does not include any form of cryptographic signature or other authenticity information,” according to the report. “The Windows-based firmware update tool accepts firmware files that have been modified to adjust USB descriptor contents. This ability to modify USB descriptors can be leveraged to disable the device or cause it to be identified as a different type of USB device. Once additional details of the processor architecture are discovered, the camera module behavior can be altered to be malicious.”

Also, the SunplusIT firmware updater can successfully update a device even as a normal user, rather than requiring administrator access – a violation of best practices.

Eclypsium researchers also found that the firmware of the Wi-Fi adapter on Dell XPS 15 9560 laptops running Windows 10 has a bug. While Windows 10 will confirm that the drivers are correctly signed, that’s where the security checks stop. So, if the drivers are correctly signed, a small certificate icon is displayed next to the driver when viewed in the device manager. If they aren’t correctly signed, a user can still successfully load them – the icon merely goes away. This means that a privileged attacker could easily replace driver files.

And finally, the researchers also took a look at the Linux Vendor Firmware Service, which is a secure portal that allows hardware vendors to upload firmware updates. An analysis showed multiple insecure updates and drivers.

“From this resource we can focus specifically on update protocols and easily review which are signed and which are not,” the researchers wrote. “While we can see that some of the update protocols are related to transport, many others are protocols used for the actual update process. For example, VLI USB Hub firmware is unsigned.”

Eclypsium researchers notified HP of the webcam firmware vulnerability on August 4, and Lenovo of the TouchPad/TrackPoint vulnerability on Lenovo on June 13.

“We expect some vendors will issue CVEs, but none have as of yet,” Jesse Michael, principal researcher at Eclypsium, told Threatpost. “For these peripherals, the OEMs (HP and Lenovo) have to work with their suppliers to develop fixes.  From what we’ve seen, most of these existing components were initially designed to have unsigned firmware, making them inherently vulnerable.  Our interactions with these OEMs lead us to expect that future systems will have firmware update authentication requirements built in.”

Eclypsium also reported the Wi-Fi issue to both Qualcomm, who provides the chipset and driver for the wireless card, and to Microsoft, which checks that such drivers are signed.

“Qualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware,” Michael said. “They stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device.” The result is that this will likely go unaddressed, since each is pointing the responsibility back to the other.

Bottom line: Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity, and provides multiple pathways for malicious actors to compromise laptops and servers.

“Once firmware on any of these components is infected, the malware stays undetected by any software security controls,” Michael said. “Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware.”

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

 

Suggested articles