You are here

You are here

Perilous peripherals: Fake firmware warning after 5 years of inaction

Richi Jennings Your humble blogwatcher, dba RJA

A report out this week says we’re not doing enough to combat threats in device firmware. Amazingly, the industry mostly still isn’t digitally signing updates.

Fake firmware malware is well placed to be persistent. And it can be easy to update without a privileged account. Plus, there’s the obvious supply-chain vector.

We’ve known about this for years. So why the inaction? In this week’s Security Blogwatch, we wake up and smell the coffee.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: pointless terminal tricks.

Firmware fracas; driver danger

What’s the craic? Robert Lemos reports—Firmware Weaknesses Can Turn Computer Subsystems into Trojans:

The software that acts as the interface between a computer and its various hardware components can be turned into an espionage-focused implant, because the companies that make the components often fail to create a secure mechanism of updating the code. … Major turnkey design and manufacturing firms that supply components — such as Wi-Fi adapters, USB hubs, trackpads, and cameras — failed to sign their firmware, opening up the possibility that an attacker could replace [it] with a malicious version.

The research underscores that, despite the light shed on the technique by … Edward Snowden, few companies have created a secure supply chain for attesting that the firmware updates are official. … The main benefit to an attacker of compromising the firmware is that a subverted device could be used to reload malware, if an antivirus scanner … cleans the attacking code from the hard drive.

And Andy Greenberg bergs—precious little progress being made:

[It] could allow any malware … to take control of those components and exploit them for everything from intercepting a computer's network communications to spying through its webcam. Worse still … firmware hacking could allow a hacker to create malware that's nearly impossible to disinfect.

Security researchers have warned of the near-total insecurity of some computer components' firmware for years. [But] years of warnings haven't fixed the problem.

The issue … is fundamentally one of supply chains. While computer manufacturers might feel pressure from users … few of them have been able to persuade the suppliers of their components to lock down their firmware. Until they do, they'll be left … trying to build a secure computer out of fundamentally insecure parts.

Who’s raising the alarm this time? Eclypsium’s Jesse Michael and Rick Altherr, in Perilous Peripherals:

It has been five years since the Equation Group’s HDD implants were found in the wild, and introduced the industry to the power of firmware hacking and the underlying dangers posed by unsigned firmware. [But] much of the industry continues to turn a blind eye to the risks.

We found unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras in a variety of enterprise devices. … Disruption to components such as network cards, drives, and other peripherals can completely disable the device or provide attackers with ways to steal data, deliver ransomware and hide from security.

In response to the growing … threats, many organizations have begun to add firmware to their vulnerability management and threat prevention models. … Virtually every component within a device has its own firmware and its own potential for risk, including network adapters, graphics cards … and trackpads.

[But] devices often lack the same security best practices that we take for granted in operating systems. [With] no way to validate that the firmware loaded by the device is authentic … an attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust. … Many components can be updated without the need for special privileges, leading to a very simple and powerful … attack.

Malicious firmware on a network adapter could allow an attacker to sniff, copy, redirect, or alter traffic leading to a loss of data, man-in-the-middle and other attacks. PCI-based devices could enable Direct Memory Access (DMA) attacks that could easily steal data or take full control over the victim system. Cameras could be used to capture data from the user’s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system.

“Equation Group”? Remind me. Paul Wagenseil guides us:

In 2015 … Kaspersky disclosed the existence of malware that altered the firmware of computer hard drives, including drives made by IBM, Maxtor, Seagate, Toshiba and Western Digital, allowing the attackers to build silent backdoors into the computers. [It] was part of a larger constellation of hacking tools that Kasperksy attributed to the Equation Group, one of several highly skilled, long-running state-sponsored teams.

Equation Group is widely believed to be … the U.S. National Security Agency.

What’s the solution? Waseem Alkurdi suggestifies thuswise: [You’re fired—Ed.]

Firmware updates really have to be signature-checked, or in the least disallowed, unless (for instance) a "dev mode" pin is connected. And even that should burn an eFuse to void warranty.

There's really no semantic working-around this incompetence.

But Luthair considers the unintended consequences:

Consider, if hardware starts to check signatures, then that will prevent hobbyists from creating custom firmware (e.g., removing Lenovo's whitelisted wi-fi cards, or making your optical drive region free).

And T3OU-736 questions motivations:

The lack of meaningful signature verification for device FW updates is a rather old state of affairs, going back at least a decade and a half. So why is this being released now?

Without going down the path of, "What is the root of trust for a signed update?" … this is non-trivial problem to solve. Some FW, as part of the more general "driver", do go via Microsoft's WQHL, and some manufacturers do have signed updates on Linux (RPM signatures as an example).

So we should all switch to Chromebooks? Nope, says jittles:

It is absolutely trivial to get a Chromebook to rollback to the factory microcode release that, with almost 100% certainty, has known security vulnerabilities. Not only do I refuse to trust an advertising company to sell me hardware, but I know from their own mouths that their security is, in practice, not as good as you think it is.

Meanwhile, Arrigo Triulzi—@cynicalsecurity—waxes cynical:

Objectively speaking, this is episode 1763 in the series “why you cannot continue to overload a 1981 PC with Byzantine security layers and hope to get away with it.”

The moral of the story?

How exposed are you to fake firmware? Is your hardware vendor taking this seriously? Are you?

And finally

11 Pointless (but awesome) Terminal Tricks

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Michael Schwarzenberger (Pixabay)

Keep learning

Read more articles about: SecurityInformation Security