The lax security of supply chain firmware has been a known concern for years—with precious little progress being made.
That laptop on your desk or that server on a data center rack isn’t so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code. That represents a serious security problem: Despite years of warnings, those computers inside your computer remain disturbingly unprotected, offering an insidious and nearly undetectable way for sophisticated hackers to maintain a foothold inside your machine.
That’s the helpful reminder provided by new research from security firm Eclypsium, which today released a report on components and PC peripherals connected to and inside of hundreds of millions of computers around the world. Eclypsium researchers found that a slew of network cards, trackpads, Wi-Fi adapters, USB hubs, and webcams all had firmware that could be updated with “unsigned” code that lacks any cryptographic verification. In other words, it could be rewritten without any security check.
That sort of firmware hacking could allow any malware that manages to run on a victim computer to take control of those components and exploit them for everything from intercepting a computer’s network communications to spying through its webcam. Worse still, it could hide in obscure components, making detection and mitigation nearly impossible.
“Your webcam is its own computer. Your touchpad is its own computer. The software they run is their firmware, and there are no checks to the authenticity of that firmware when they power on. They just blindly trust it,” says Rick Altherr, an Eclypsium principal engineer who worked on the new firmware research. “An unprivileged user can actually modify the firmware on these devices, and there are no checks to where that firmware came from or what it does.”
Security researchers have warned of the near-total insecurity of some computer components’ firmware for years; SRLabs notably exposed the lack of verification of USB thumb drive firmware in 2014. Firmware hacking has shown up in the wild, too: Mac firmware hacking tools were included in the Vault7 leak of CIA spy techniques, for instance, and Kaspersky researchers revealed in 2015 that Equation Group—widely believed to be a team of NSA hackers—planted their code in victims’ hard drive firmware to spy on them.
But Eclypsium says its research is intended to serve as evidence that years of warnings haven’t fixed the problem. Computer and peripheral makers don’t seem to have implementing code-signing—cryptographic signature checks to verify the authenticity of a firmware updates—for the majority of components. “When I look at the industry at large, the PCs and servers being shipped, there isn’t a single device in the market that is entirely secured,” says Altherr. “If you look at any laptop, I guarantee there will be some unsigned component inside of it.”
The researchers focused on five specific components: Touchpads and trackpoints in Lenovo laptops, webcams found in HP laptops, Wi-Fi adapters from Dell laptops, a Via Labs USB hub, and a Broadcom network interface card. They demonstrated that they could update each device’s firmware with no verification, and in the case of the webcam and USB hub, without even having administrator privileges on the target computer.
For most of the components, the researchers showed only that they could make an arbitrary change to the part’s firmware, not actually going so far as to write proof-of-concept malware. They argue, though, that hijacking the firmware in any of those components could essentially hijack all of its functionality. The Wi-Fi adapter or USB hub could intercept the user’s communications. The webcam could spy on the user. And the trackpad can take control of the computer’s mouse movements. On top of those expected functions, several of the devices’ firmware could be used to emulate a peripheral keyboard and type keystrokes on the target computer too.
For the Broadcom network interface card, however, the researchers went further, building actual proof-of-concept malicious firmware that intercepts the computer’s network communications. They showed that when the Broadcom card is used in a cloud setting with multiple virtual machines on the same server, it can also be exploited to not simply intercept the traffic going into and out of a single virtual machine but also the communications to the baseboard management controller on the underlying physical computer. That would allow a hacker to “break out” of an infected virtual machine to intercept and send malicious commands to other virtual machines that use the same hardware.
Rewriting firmware can also allow malicious code to avoid detection by antivirus programs, or persist even after a computer’s entire operating system is reinstalled. That firmware hacking could allow a hacker to create malware that’s nearly impossible to disinfect. “You scatter your infection across as many components in the systems you’re attacking as possible, and as each one is fixed you reinfect from one of the other ones,” says Altherr. “The victim would have to clean their system of all the infections at once to regain control.” In fact, the suspected NSA firmware hack in 2015 used a variation on this very technique.
When WIRED reached out to Broadcom, Lenovo, HP, Dell, and Via Labs for comment, Dell responded in a statement on its website: “We’re now working with our supplier to understand impact and will communicate any necessary security updates or mitigations.” Lenovo’s stated that “[Eclypsium’s] report addresses a well-known, industrywide challenge stemming from most peripheral devices having limited storage and/or computational capabilities,” and “Lenovo devices perform on-peripheral-device firmware signature validation where technically possible. Lenovo is actively encouraging its suppliers to implement the same approach and is working closely with them to help address the issue.”
Firmware hacking has remained rare outside of a research setting, points out Karsten Nohl, who along with fellow SRLabs researcher Jakob Lell demonstrated the so-called BadUSB problem in 2014. Firmware hacking has been used almost exclusively by sophisticated hackers believed to be working in the service of a government or intelligence agency. It’s not something the average user has to worry about much. But Nohl says the fact that so many components’ code still doesn’t have any security, years after the problem was exposed and demonstrated, nonetheless represents a failure of the computing industry.
“As theoretical as it’s been so far, it’s important that we make some progress on signing firmware and protecting against these attacks,” says Nohl. “That progress has been very slow coming.”
The issue, Eclypsium’s researchers argue, is fundamentally one of supply chains. While computer manufacturers might feel pressure from users to secure their own software, few of them have been able to persuade the suppliers of their components to lock down their firmware. Until they do, they’ll be left with an intractable problem: trying to build a secure computer out of fundamentally insecure parts.
All Rights Reserved for Andy Greenberg