That laptop on your desk or server on a data center rack isn’t so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code as well. That represents a serious security problem: Despite years of warnings, those computers inside your computer remain disturbingly unprotected, offering an insidious and nearly undetectable way for sophisticated hackers to maintain a foothold inside your machine.
That’s the helpful reminder provided by new research from security firm Eclypsium, which today released a report on components and PC peripherals connected to and inside of hundreds of millions of computers around the world. They found that a slew of network cards, trackpads, Wi-Fi adapters, USB hubs, and webcams all had firmware that could be updated with “unsigned” code that lacks any cryptographic verification In other words, it could be rewritten without any security check.
That sort of firmware hacking could allow any malware that manages to run on a victim computer to take control of those components and exploit them for everything from intercepting a computer’s network communications to spying through its webcam. Worse still, it could hide in obscure components, making detection and mitigation nearly impossible.
“Your webcam is its own computer. Your touchpad is its own computer. The software they run is their firmware, and there are no checks to the authenticity of that firmware when they power on. They just blindly trust it,” says Rick Altherr, an Eclypsium principal engineer who worked on the new firmware research. “An unprivileged user can actually modify the firmware on these devices and there are no checks to where that firmware came from or what it does.”
Security researchers have warned of the near-total insecurity of some computer components’ firmware for years; SRLabs notable exposed the lack of verification of USB thumb drive firmware in 2014. Firmware hacking has shown up in the wild, too: Mac firmware hacking tools were included in the Vault7 leak of CIA spy techniques, for instance, and Kaspersky researchers revealed in 2015 that Equation Group—widely believed to be a team of NSA hackers—planted their code in victims’ hard drive firmware to stealthily spy on them.
But Eclypsium says its research is intended to serve as evidence that years of warnings haven’t fixed the problem. Computer and peripheral makers don’t seem to have implementing code-signing—cryptographic signature checks to verify the authenticity of a firmware updates—for the majority of components. “When I look at the industry at large, the PCs and servers being shipped, there isn’t a single device in the market that is entirely secured,” says Altherr. “If you look at any laptop, I guarantee there will be some unsigned component inside of it.”
The researchers focused on five specific components: Touchpad and trackpoints in Lenovo laptops, webcams found in HP laptops, Wi-Fi adapters from Dell laptops, a Via Labs USB hub, and a Broadcom network interface card. They demonstrated that they could update each device’s firmware with no verification, and in the case of the webcam and USB hub, without even having administrator privileges on the target computer.
For most of the components, the researchers showed only that they could make an arbitrary change to the part’s firmware, not actually going so far as to write proof-of-concept malware. They argue, though, that hijacking the firmware in any of those components could essentially hijack all of its functionality. The Wi-Fi adapter or USB hub could intercept the user’s communications. The webcam could surreptitiously spy on the user. And the trackpad can take control of the computer’s mouse movements. On top of those expected functions, several of the devices’ firmware could be used to emulate a peripheral keyboard and type keystrokes on the target computer, too.
