What Are the Hidden Dangers of Unsigned Firmware?
Code Signing technology has been here for multiple decades now to authenticate and verify the originality and source of the software or firmware provider. It’s one of the security measures organizations take, but there are still some dangers lurking around.
Modern computer users have become software security-aware people and have implemented all the necessary precautions like firewalls or antivirus. This helps them stay away from sketchy downloads, visiting spammy websites, and doing 100 other unsecured things.
We try to keep our computers, routers, USB drives, and other hardware safe from malware & viruses as much as possible. However, there are always risks and hidden dangers when using all these devices. All these devices run and get connected with each using a program known as firmware.
Now, what is firmware, and how does it create hidden dangers for your computer systems? Let’s get right into it.
What are Computer Firmware & How They Have Hidden Dangers?
We all know what software is as we interact with them daily. They are installed on our hard drives and help with performing a certain action or improving our work. Software are run on computers, which constitute many peripheral components and hardware.
The majority of these components and hard drives contain embedded software known as firmware that helps make it work. This firmware comes pre-installed on webcams, touchpad controllers, graphics cards, USB hubs, and on many others.
Computer manufacturers don’t often produce these parts themselves and outsource or purchase them from 3rd-party vendors around the globe. And here’s where the problem starts.
According to Eclypsium research, firmware used in most computer hardware like USB, trackpads, webcams, and others are unsigned. It further revealed that major Windows and Linux computer & server manufacturers like Dell, Lenovo, HP, and others use unsigned firmware.
Eclypsium has also mentioned that they performed a successful attack on unsigned firmware using a server through a network interface card used by major manufacturers. This attack exposed the vectors once the firmware in the question of the mentioned components was infected using the issues described in the report.
This translates to no matter how cautious we are, there are some hidden dangers on our computers. This is because third-party firmware and component vendors do not choose to code sign them. As mentioned, OV or EV Code Signing Certificate helps authenticate the publisher and ensure the file hasn’t been modified since it was signed.
Not opting to sign the firmware is, unfortunately, devastating to the software security and operation of devices. Such disruption and dangers to peripheral components can completely disable the primary device. Or worse, it can provide attackers free access to your system to steal data or insert ransomware.
The Eclypsium report also shows that such weaknesses are more prevalent in laptop and desktop computers and create multiple ways to carry out attacks.
Risks and Hidden Dangers of Unsigned Firmware
The problem with unsigned firmware in a computer system is that it lacks the best software security practices that we take for granted in other software systems. Moreover, the components cannot verify if they have signed firmware or not before running the code. Also, there is no way for them to validate if the firmware used by the device could be trusted.
Due to this, attackers can easily take advantage of the situation and insert a malicious code or firmware image, which the hardware will trust blindly. These vulnerable devices and drives are then used to bypass software security for more dangerous and serious attacks like ransomware.
Moreover, hackers can update the devices with unsigned organization firmware to gain special privileges and carry out more powerful attacks. For instance, gaining access to devices by delivering malware or through evil maid attacks. The attackers can leverage the device functionality to advance their attack further and gain meaningful information.
An attacker can abuse the device in different ways depending on the component and firmware it gains access to. For instance, PCI-enabled devices can allow Direct Memory Access (DMA) attacks for easy data leakage. Cameras, on the other hand, allow stealing user environment data while hard drives could be used to hide malicious tools or codes.
Regardless of what attackers get their hands on, the overall outcome remains the same. They can easily access numerous data from components and devices that use unsigned organization firmware.
Why Do Organizations Don’t Use Signed Firmware?
It’s not like it’s impossible to code sign this firmware, however, the large organization at the helm of manufacturing these devices don’t care enough. The common reasons for not doing so include:
- The more firmware needs code signing means they’ll have to make more code signing credentials available to the developer team. This exposes their system to risks, which is why they don’t bother signing.
- The PKI team of the manufacturers doesn’t often catch up to the team of developers and so they bypass the whole process of code signing.
- They have more important tasks to take care of.
- Not aware of the software development going on in their organization.
These folks have made a simple code signing into a complex construct where no one’s ready to take responsibility. There are several tools that help these firmware development organizations to manage code signing credentials efficiently.
Daunting Struggle and Path Ahead
Mitigating the challenge of unsigned firmware is going to be a pain in the neck and a daunting struggle for manufacturers. Since the problem has been carried over for an extended period, a speedy solution is highly unlikely. However, there has been slow progress to end this struggle and adopt code signing.
‘Tis up to the manufacturers and developers of the computers & their components that utilize the firmware to introduce mitigations. However, most organizations don’t have the mature processes to handle the hidden security dangers created by unsigned organization firmware.
So, the only path forward from here is to actively look for vulnerabilities, make people aware of them, and help manufacturers & developers establish better software security measures.