“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Peripheral firmware refers to the firmware found in devices, such as WiFi adapters, trackpads, USB hubs, cameras etc. They have access to, but are not a part of, a primary system.
Researchers from Eclypsium have discovered multiple instances of unsigned firmware in computer peripherals that can be used by malicious actors to attack laptops and servers running Windows and Linux. This is a big problem. There are millions of such devices that are directly exposed to attacks designed to abuse this flaw. They are used in any number of malicious ways, from data exfiltration to ransomware infections.
When it comes to security, most of the attention goes to the most visible components of a system, such as the operating system and applications. In many cases these efforts are limited to the system firmware—the UEFI or BIOS resident on the main board of a device. Unfortunately, these peripheral devices are an excellent way to avoid or bypass those security efforts.
Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code. These components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.
Attackers can take advantage of unsigned firmware in several ways:
The following are a few examples of insecure firmware Eclypsium researchers were able to discover in various peripherals:
All in all, unsigned firmware in various peripheral devices is a big cybersecurity issue. It is commonly overlooked leading to severe security problems including loss of data, integrity, and privacy. It can be used to help threat actors escalate their privileges and bypass security controls that would otherwise stop their attacks.
Given the widespread nature of unsigned firmware, enterprises should scan their devices for any vulnerable components, and should assess the firmware posture of new devices during procurement.