Hundreds of Millions of PC Components Still Have Hackable Firmware

That laptop on your desk or that server on a data center rack isn’t so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code. That represents a serious security problem: Despite years of warnings, those computers inside your computer remain disturbingly unprotected, offering an insidious and nearly undetectable way for sophisticated hackers to maintain a foothold inside your machine.

That’s the helpful reminder provided by new research from security firm Eclypsium, which today released a report on components and PC peripherals connected to and inside of hundreds of millions of computers around the world. Eclypsium researchers found that a slew of network cards, trackpads, Wi-Fi adapters, USB hubs, and webcams all had firmware that could be updated with “unsigned” code that lacks any cryptographic verification. In other words, it could be rewritten without any security check.

Read More Here
here
Visit Website
hop over to this website
click
her latest blog
This Site
read review
try here
Clicking Here
page
read this post here
More Bonuses
recommended you read
go to this web-site
this
check that
Go Here
More hints
you could check here
Continued
More Help
try this
you could try here
website here
useful source
read the full info here
Discover More
click resources
over here
like this
Learn More
site web
navigate to this web-site
pop over to this website
Get the facts
our website
great site
try this out
visit the website
you could look here
content
go to this site
website link
read this
official statement
reference
check out the post right here
additional info
my link
additional reading
important source
you can check here
this link
see post
next
click reference
visit site
look here
try this web-site
Going Here
click to read
check this site out
go to website
you can look here
read more
more
explanation
use this link
a knockout post
best site
blog here
her explanation
discover this info here
he has a good point
check my source
straight from the source
anonymous
go to my blog
hop over to these guys

That sort of firmware hacking could allow any malware that manages to run on a victim computer to take control of those components and exploit them for everything from intercepting a computer’s network communications to spying through its webcam. Worse still, it could hide in obscure components, making detection and mitigation nearly impossible.

“Your webcam is its own computer. Your touchpad is its own computer. The software they run is their firmware, and there are no checks to the authenticity of that firmware when they power on. They just blindly trust it,” says Rick Altherr, an Eclypsium principal engineer who worked on the new firmware research. “An unprivileged user can actually modify the firmware on these devices, and there are no checks to where that firmware came from or what it does.”

Security researchers have warned of the near-total insecurity of some computer components’ firmware for years; SRLabs notably exposed the lack of verification of USB thumb drive firmware in 2014. Firmware hacking has shown up in the wild, too: Mac firmware hacking tools were included in the Vault7 leak of CIA spy techniques, for instance, and Kaspersky researchers revealed in 2015 that Equation Group—widely believed to be a team of NSA hackers—planted their code in victims’ hard drive firmware to spy on them.

But Eclypsium says its research is intended to serve as evidence that years of warnings haven’t fixed the problem. Computer and peripheral makers don’t seem to have implementing code-signing—cryptographic signature checks to verify the authenticity of a firmware updates—for the majority of components. “When I look at the industry at large, the PCs and servers being shipped, there isn’t a single device in the market that is entirely secured,” says Altherr. “If you look at any laptop, I guarantee there will be some unsigned component inside of it.”

The researchers focused on five specific components: Touchpads and trackpoints in Lenovo laptops, webcams found in HP laptops, Wi-Fi adapters from Dell laptops, a Via Labs USB hub, and a Broadcom network interface card. They demonstrated that they could update each device’s firmware with no verification, and in the case of the webcam and USB hub, without even having administrator privileges on the target computer.

For most of the components, the researchers showed only that they could make an arbitrary change to the part’s firmware, not actually going so far as to write proof-of-concept malware. They argue, though, that hijacking the firmware in any of those components could essentially hijack all of its functionality. The Wi-Fi adapter or USB hub could intercept the user’s communications. The webcam could spy on the user. And the trackpad can take control of the computer’s mouse movements. On top of those expected functions, several of the devices’ firmware could be used to emulate a peripheral keyboard and type keystrokes on the target computer too.