It has been reported that fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium. TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.
It seems a bit strange that software signing has become a modern standard when it comes to various programs and executables in general, whereas for firmware it has apparently been ignored on a massive scale. The practice of software signing ensures that an end-user can verify that what they are downloading is from a trusted source and has not been tampered with by a malicious actor somewhere along the way. Failing to do this for firmware essentially gives a free pass for malicious code to enter your system. Depending on the hardware that falls under the control of the firmware in question, this could lead to a multitude of attacks. Addressing this threat from an industry-wide perspective is not a small task and will require a collective effort and cooperation from hardware vendors and OS manufacturers alike.
With supply chain cyber attacks on the rise in 2019, this research should serve as notice to software publishers that they are a critical component of the digital supply chain – regardless of what type of software they provide. In the case of insecure update mechanisms, or lack of cryptographically secure validation mechanisms for their software, they open the door for malicious attacks. This is due to the reality that most end users are not equipped to validate the legitimacy of the software they use and rely on the software delivery process to perform all validation. Importantly, when they can’t locate what they believe to be a solution for their issues from the vendor, they’ll download a potential solution from the internet with the potential result of a malware infection. Since device firmware executes on a computer before the operating system starts, the protections present from anti-malware solutions are rendered ineffective due to the ability of malicious firmware to behave in ways that allows anti-malware to believe there is nothing wrong with the computer system.
In the end consumers of any software, whether it be packaged commercial software, IoT firmware, computer drivers, or open source solutions, should first directly contact the supplier of their software for any updates or patches. While it might be convenient to apply a patch following an internet search, the reality is that third-party repositories could easily host malicious versions of software. This is why the first principle of patch management is to know where the software came from as that’s where any patches need to also originate.