Advertisement

Hackable firmware lurks inside Dell, HP and Lenovo computers amid supply chain security efforts

"Unsigned" firmware continues to haunt the hardware industry.
(Getty Images)

A stealthy hacking technique that could make it possible for attackers to access different components inside PCs made by the likes of Dell, HP and Lenovo still exists, five years after researchers first warned of it.

Security researchers from Eclypsium, in findings published Tuesday, demonstrated how much of the firmware inside modern computers, such as webcams, USB hubs, trackpads and other internal hardware could be updated with “unsigned” code that’s not designed by the device vendor. That firmware, left unprotected, could provide outsiders with a gateway into more sensitive computer networks, all while PC customers implicitly trust their machine to safeguard their data. (The company only pointed to theoretical attacks, rather than an active, ongoing campaign against these devices.)

“Firmware is meant to be invisible to the user, and so it’s not surprising that most people don’t pay attention to it,” said Eclypsium CEO Yuriy Bulgin. “However, these components make up the foundation upon which every device, operating system, and application depends.”

Researchers used unsigned firmware to show how an attacker could compromise an operating system remotely in order to steal network data. The highlighted flaws could also enable “direct-memory access” attacks which exploit a computer’s core operating system.

Advertisement

The U.S. Department of Homeland Security has funded efforts to improve firmware integrity, while the National Security Agency and companies like Microsoft are moving forward with their own plans meant to harden defenses inside widely used machines. Yet the problem remains pervasive, as the latest Eclypsium research shows.

“Detecting the issue does not really solve the problem,” Bulgin continued. “To address this, most manufacturers must create a new firmware update that includes signature checking features.”

Ulf Frisk, an independent hardware security researcher, also said the problem is deeply embedded in existing technology.

The goal is to get new devices to start checking if the firmware is signed before loading it, Frisk said. But that still leaves all of the current equipment that doesn’t do that.

In their demonstrated attack on firmware in a network interface card (NIC) — the hardware that allows a computer to connect to a network — the Eclypsium researchers built on one of the best known firmware attacks in the wild. In 2015, researchers from the cybersecurity company Kaspersky revealed that Equation Group, a set of hackers linked to the NSA, were using implants to reprogram a computer’s hard drive with malicious code.

Advertisement

After that disclosure, the Eclypsium researchers said, many hardware vendors shored up their security to only accept valid firmware. But vendors of “peripheral components” — things like WiFi adapters and cameras — have been much slower to follow suit.

In response to the research, HP has issued a firmware patch for a camera that was found vulnerable. The company told Eclypsium future camera models will have signed firmware.

A Lenovo spokesperson told CyberScoop the report “addresses a well-known, industry-wide challenge” and that “Lenovo devices perform on-peripheral device firmware signature validation where technically possible. Lenovo is actively encouraging its suppliers to implement the same approach and is working closely with them to help address the issue.”

A Dell spokesperson said the company was aware of the research and working with its suppliers to understand the impact of the findings. Dell will post security updates or mitigations on its website as they become available, the spokesperson said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts