Unsigned firmware in peripherals could allow attackers to target HP, Lenovo and Dell computers, researchers warn

Enterprises must assess the 'firmware posture' of new devices during procurement

Many device manufacturers are still not paying attention to the issue of unsigned firmware in peripherals, potentially opening the door to information disclosure and remote code execution attacks.

That's according to researchers at cyber security firm Eclypsium, who recently used unsigned firmware in some peripherals to demonstrate how it could enable malicious actors to compromise an operating system remotely and steal data from networks.

According to the researchers, they found unsigned firmware in USB hubs, WiFi adapters, cameras and trackpads used in computers made by Dell, Lenovo, HP and some other companies. The worrying thing is that the firmware could be updated with "unsigned" code not designed by the device manufacturer.

The researchers examined a Lenovo ThinkPad X1 Carbon 6th Gen laptop and found that the update mechanisms of TrackPoint and Touchpad firmware used by the device to be highly insecure

"Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code," said researchers at Eclypsium.

"This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run."

The researchers examined a Lenovo ThinkPad X1 Carbon 6th Gen laptop and found that the update mechanisms of TrackPoint and Touchpad firmware used by the device to be highly insecure. Specifically, they did not apply cryptographic signature verification at the device level before doing firmware updates.

This security flaw could enable attackers to alter the firmware images through software to execute arbitrary code within these components.

The researchers also analysed the firmware of the HP Wide Vision FHD camera in the HP Spectre x360 Convertible 13-ap0xxx laptop and found it to be unencrypted and lacking authenticity checks. Similar issues were found in machines from Dell and some other computer manufactures.

This is, however, not the first time that researchers have found vulnerabilities in peripheral device firmware.

Earlier in 2015, security researchers from the Kaspersky said that hackers were using implants to reprogramme computer hard drives with malicious code.

The hacking group, which was named Equation Group by the researchers, was later linked to the US National Security Agency (NSA).

Many hardware vendors beefed up their security after the disclosure and allowed only valid firmware in their products. However, most manufacturers of peripherals, like cameras and WiFi adapters, have shown little interest in following suit.

Eclypsium researchers say organisations should scan their computer systems for vulnerable components, and should also assess "the firmware posture of new devices during procurement" in order to protect their networks from cyber attacks.