极速体育吧

  • Get the E-Commerce Minute Newsletter from the E-Commerce Times » Subscribe Today
    Welcome Guest | Sign In
    TechNewsWorld.com

    Unsigned Firmware Puts Windows, Linux Peripherals at Risk

    Print
    By Jack M. Germain LinuxInsider ECT News Network
    Feb 19, 2020 12:23 PM PT
    unsigned firmware is an overlooked security issue that can put windows and linux systems at risk


    3 Ways Agent Experience is Boosting Customer Experience
    Join NICE inContact in a webinar with agent experience expert Lori Bocklund of Strategic Contact where we discuss how you can empower your agents to provide a 5-star experience to every customer.
    Watch Now »

    Researchers at firmware security company Eclypsium on Tuesday released new research that identifies and confirms unsigned firmware in WiFi adapters, USB hubs, trackpads and cameras used in Windows and Linux computer and server products from Lenovo, Dell, HP and other major manufacturers.

    Eclypsium also demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers.

    The demonstration shows the exposed attack vector once firmware on any of these components is infected using the issues the report describes. The malware stays undetected by any software security controls.

    Unsigned firmware provides multiple pathways for malicious actors to compromise laptops and servers. That leaves millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware, warned Eclypsium.

    Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity. Depending on the capabilities of the component, unsigned firmware can lead to the loss of data, integrity and privacy. It also can allow attackers to gain privileges and hide from traditional security controls, notes the report, titled "Perilous Peripherals: the Hidden Dangers Inside Windows & Linux Computers."

    Eclypsium Research Perilous Peripherals

    Software and network vulnerabilities are often the more obvious focus of organizations' security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device, according to Katie Teitler, senior analyst at TAG Cyber.

    "This could lead to implanted back doors, network traffic sniffing, data exfiltration, and more," she told LinuxInsider.

    Reporting factors

    The "Perilous Peripherals" report is based on original research conducted by members of Eclypsium's research team. They include principal researchers Rick Altherr, Mickey Shkatov, Jesse Michael and CTO Alex Bazhaniuk.

    Work on this research began more than18 months ago and was completed this February. The study was self-funded by the company, according to Jesse Michael, the report's principal researcher.

    "It is safe to assume that tens of millions -- if not hundreds of millions -- of systems have these specific unsigned firmware components," Michael told LinuxInsider.

    For example, annual server shipments are around 12 million, and annual laptop shipments number approximately 200 million units. While the specific vulnerabilities identified in this report affect only a portion of all shipped systems, unsigned firmware components are prevalent within the industry, he explained.

    "We have yet to find a system that does not include such components," Michael said.

    Eclypsium Driver Details

    Problematic Roots

    The problem surrounding unsigned firmware surfaced five years ago. Security researchers found the Equation Group's HDD implants lurking in the wild. That was a wake-up call introducing the computer industry to the power of firmware hacking and the underlying dangers posed by unsigned firmware in peripheral devices, according to Eclypsium's report.

    There have been pockets of progress in dealing with the problem in recent years. However, much of the industry continues to turn a blind eye to the risks of unsigned firmware, Elypsium's research indicates.

    In carrying out four separate research projects, Elypsium's team found unsigned firmware in WiFi adapters, USB hubs, trackpads and cameras in a variety of enterprise devices. These issues can be devastating to the security and operation of the devices.

    "More often than not, [they] are very difficult to fix. Disruption to components such as network cards, drives and other peripherals can completely disable the device or provide attackers with ways to steal data, deliver ransomware and hide from security," the report states.

    These weaknesses are widespread across components in laptops and servers, the new Eclypsium research shows. They offer multiple pathways for malicious attacks.

    Eclypsium Driver Details

    See Eclypsium's "Know Your Own Device" resource for an overview of some of the most common firmware-enabled components within devices today.

    Slow Response, Few Solutions

    Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware. When it comes to security, most of the attention goes to the most visible components of a system, such as the operating system and the applications.

    In response to the growing number of threats, many organizations have begun to add firmware to their vulnerability management and threat prevention models. However, these efforts are limited to the system firmware -- the UEFI or BIOS resident on the main board of a device, explained Michael.

    The lurking danger is underscored because virtually every component within a device has its own firmware and its own potential for risk, he said. That includes network adapters, graphics cards, USB devices, cameras, touchpads and trackpads, and more.

    Eclypsium Linux Vendors ITE SuperIO

    "Unfortunately, this issue will be around for quite a while, and we'll most likely see improvements in next-gen products. But this will not happen all at once. As an industry, we need to pay more attention to hardware and firmware security," suggested Michael.

    Some OEMs, such as HP and Lenovo, have been quick to acknowledge the problem and begin working on solutions with their device/component manufacturers. Signed firmware protections typically require changes within the hardware as well as the firmware. To do that, they must be introduced in a future device revision or model, he added.

    Eclypsium Linux Vendors VLI USB Hub

    Why the Risk

    These internal components in peripheral devices are governed by firmware. The firmware may be burned into the integrated circuit of the device itself. Or the component may have its own flash memory where firmware is stored.

    In other cases firmware may be provided dynamically by the operating system at boot time. However the firmware is stored, it can act like a miniature computer that governs the low-level behavior of that particular component. This code often is very susceptible to attack, residing in everything from laptops to servers to network devices, according to the report.

    Protecting users from the dangers of unsigned firmware requires work by vendors throughout the industry. The original equipment manufacturers (OEMs) and original design manufacturers (ODMs) need to work together to fix these issues.

    "By including these types of issues in their risk assessments, organizations can make informed decisions on which peripherals and products are secure and which are not," said Michael.

    Daunting Struggle Ahead

    Mitigating the problems unsigned firmware causes over such an extended period of widespread use means a speedy solution is unlikely to come soon -- but it is essential to make progress toward that end.

    "Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch," TAG Cyber's Teitler said. "Best practice is to deploy automated scanning for vulnerabilities and misconfigurations at the component level and continuously monitor for new issues or exploits."

    The problem is that peripheral devices often lack the same security best practices that we take for granted in operating systems and in other more visible components, like the UEFI or BIOS, noted Michael. Specifically, many peripheral devices do not verify that firmware is signed properly with a high-quality public/private key before running the code.

    This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker simply could insert a malicious or vulnerable firmware image, which the component would trust blindly and run, he cautioned.

    No Clear Path Forward

    These components are inside laptops and servers, but it is often up to the individual device/component manufacturers to introduce mitigations.

    Most organizations do not have the mature processes needed to handle security flaws at this level or assign Common Vulnerabilities and Exposures (CVE) reports, according to Yuriy Buygin, CEO of Eclypsium.

    Often, aging hardware becomes a bigger part of the problem. Technical methods to provide robust fixes for fielded products are unavailable because of an old hardware design, he said.

    "So we will see these issues for years to come, and the only way to improve this is to keep finding vulnerabilities, alerting the public, and helping device vendors to establish better firmware security," Buygin told LinuxInsider.

    Attack Vectors

    Eclypsium researchers demonstrated how unsigned firmware can be abused as part of a real-world attack.

    The company's report details how an attacker who gains control over a peripheral component can use the component's functionality for malicious purposes. The attacker potentially can gain new privileges and even get control over the entire system.

    The demonstration shows Eclypsium researchers attacking unsigned firmware in a network interface card (NIC) chipset. A malicious attack on the card can have a profound impact on the server.

    That, in turn, compromises the operating system remotely. It provides the attacker with a remote backdoor for snooping and exfiltrating raw network traffic while bypassing operating system firewalls to extract data or deliver ransomware.

    Such an attack could disconnect a server from a network upon a signal, the report warns. That can result in disrupting connectivity for an entire data center.


    Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software. Email Jack.


    Reader Comments
    oiaohm
    Posted 2020-02-19
    This is the biggest bit of garbage I have ever read because they totally don't understand the problem space.

    The problem is not unsigned firmware. Its non-verified firmware.

    Yes signing firmware can be a method to assist in verification.

    https://www.darkreading.com/vulnerabilities---threats/how-the-major-intel-me-firmware-flaw-lets-attackers-get-god-mode-on-a-machine/d/d-id/1330565

    We have to remember threats like above turn up yes this is signed firmware and systems still get exploited. So if all hardware mandated signed firmware nothings says that attack will not use old flawed version of firmware that was signed.

    Really have another side to this problem.

    In their attack example they are using a open source implemented version of ... Read More
    GerryP
    Posted 2020-02-20
    Please edit the comment above for typos and omissions. The last few paragraphs are confusing and the topic critical.
    oiaohm
    Posted 2020-02-21
    To me its not really confusing but at the end due to growing length I did attempt to cut it down.

    Reading over there is a clear omission that most people would not know.

    "Really its not cost sane to-do signed firmware on every controller."

    This paragraph. Exactly what about the controllers make cost insane.

    Large number of controllers core instruction set is still based about the 8051 8 bit instruction set with extended parts to the instruction set to process that. You could argue that this is old. Even if we move to a modern risc-v the controller version can be RV32I with no extensions. So a risc-v with only maths there is add and subtraction

    The simple reality in controller silicon the ability to process x502 certificate or equal to ... Read More
    GerryP
    Posted 2020-02-22
    Thanks for the clarification. Very much appreciated.
    Free Newsletters from ECT News Network
    Don't Miss a Story. Get the Latest Headlines Delivered to Your Inbox.
    Tech News Flash Daily - View Sample
    E-Commerce Minute Daily - View Sample
    ECT News Network Weekly Newsletter - View Sample
    Editor's Pick - View Sample
    Get the ICMI Agent Experience Toolkit
    How concerned are you about the coronavirus threat?
    I'm very worried about the health risks for myself or others close to me.
    I'm very worried about the global economic impact.
    I'm concerned that officials are not managing the threat well.
    I'm concerned that misinformation will cause people to panic.
    I believe it will go away on its own with few major consequences.
    I believe the U.S. will contain it better than other countries have.
    Get the ICMI Agent Experience Toolkit
    Salesforce is a Leader in the Gartner Magic Quadrant 2019 for Digital Commerce
    Inside TechNewsWorld
  • 赌石|网站

    中国福彩网app正规

    电竞投注app

    澳门葡京赌场官方网站

    足彩app排名

    舞帝彩票平台

    金百利娱乐菲律宾

    六福彩票注册平台

    t博登录网站