The Risks of Peripheral Firmware

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Peripheral firmware refers to the firmware found in devices, such as WiFi adapters, trackpads, USB hubs, cameras etc. They have access to, but are not a part of, a primary system.

Researchers from Eclypsium have discovered multiple instances of unsigned firmware in computer peripherals that can be used by malicious actors to attack laptops and servers running Windows and Linux. This is a big problem. There are millions of such devices that are directly exposed to attacks designed to abuse this flaw. They are used in any number of malicious ways, from data exfiltration to ransomware infections.

When it comes to security, most of the attention goes to the most visible components of a system, such as the operating system and applications. In many cases these efforts are limited to the system firmware—the UEFI or BIOS resident on the main board of a device. Unfortunately, these peripheral devices are an excellent way to avoid or bypass those security efforts.

Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code. These components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.

Attackers can take advantage of unsigned firmware in several ways:

• In the case of network adapters, they can capture or alter the network traffic, while Peripheral Component Interconnect (PCI) devices would enable them to steal information and even take over the system via Direct Memory Access (DMA) attacks.

• Taking full control over a target's camera could allow them to start capturing video and audio content from their surroundings.

• Abusing the firmware of a hard drive connected to a computer makes it possible to drop malicious tools and run malicious code that would completely escape operating system security checks.

The following are a few examples of insecure firmware Eclypsium researchers were able to discover in various peripherals:

• Touchpad and TrackPoint Firmware in Lenovo ThinkPad X1 Carbon 6th Gen laptop: firmware update with no cryptographic signature checks.

• HP Wide Vision FHD Camera Firmware in HP Spectre x360 Convertible 13-ap0xxx laptop: unencrypted firmware update with no auth checks.

• WiFi Adapter on Dell XPS 15 9560 a laptop: modified firmware still successfully loads despite Windows 10 signing checks.

• USB Hub firmware: VLI USB Hub firmware for Linux is unsigned.

All in all, unsigned firmware in various peripheral devices is a big cybersecurity issue. It is commonly overlooked leading to severe security problems including loss of data, integrity, and privacy. It can be used to help threat actors escalate their privileges and bypass security controls that would otherwise stop their attacks.

Given the widespread nature of unsigned firmware, enterprises should scan their devices for any vulnerable components, and should assess the firmware posture of new devices during procurement.