Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/SecureDC, or connect with Juniper on Twitter or Facebook. That's juniper.net/SecureDC. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:00:55] Thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Rick Altherr: [00:01:34] What really drove us to come back to this area was it's been a while and we've not seen a lot in the industry that's changed.
Dave Bittner: [00:01:44] That's Rick Altherr. He's a principal engineer at Eclypsium. The research we're discussing today is titled, "Perilous Peripherals: The Hidden Dangers Inside Windows and Linux Computers."
Rick Altherr: [00:01:55] So, what we wanted to do is go explore the breadth of the problem. We knew the problems existed around unsigned firmware, but we wanted to see how many different market segments in the computing industry did this touch. What types of devices were still vulnerable and where were improvements being made?
Dave Bittner: [00:02:13] Hmm.
Rick Altherr: [00:02:13] So that's why this really reveals four or five – depending on how you count – different examples of unsigned firmware and how that can be used or misused in these various systems. And you know, the intent was really to provide some perspective around, this is a known problem, it's been a known problem – here's how big of a problem this really is.
Dave Bittner: [00:02:36] Well, let's start with some of the real basics here. Can you describe to us – what are we talking about when we're talking about firmware, and then what's the difference between it being signed or unsigned?
Rick Altherr: [00:02:48] So, firmware is software that is actually run in very low-level contexts in the hardware. So, often, the firmware is not stored on your hard drives, but rather stored in a separate programmable device that is right next to the device using it. Firmware gets used in all sorts of different components within your average computer. So, if you look at the laptop that's currently sitting in front of me – the trackpad, the touch screen, the sound card, the mouse I have connected to it – these all have pieces of software that control the behavior of that individual device, that then that firmware talks to the main host processor, the x86 processor, in order to perform whatever function.
Rick Altherr: [00:03:36] So, when we then talk about what signed versus unsigned means, most of these devices, when they start up, they don't have firmware built into them. So, they have their own little CPU core inside the device. Your trackpad has a processor in it. And when it starts up, it needs to load its firmware from somewhere. And when it does so, it just reads it from this flash memory device that's attached to it and starts executing it. And it does so because that's the simplest thing possible. It simply does what's called "execute in place." It fetches an instruction from the flash device and runs it immediately.
Rick Altherr: [00:04:11] This means that there's no integrity checks. There's no validation that this firmware is actually the correct firmware for this device, that it's even an appropriate firmware for the device. What signing does is add cryptography to the firmware, such that when the device starts up, you can have a very small, built-in bit of firmware – often called a "ROM" – that, instead of just fetching an instruction and executing it directly from the flash, copies some of that data out of the flash and run some cryptographic operations on it, and verifies that in fact that firmware was properly signed by some entity that's supposed to produce that firmware. It provides a level of authenticity and integrity checking of the actual firmware before you start running it.
Dave Bittner: [00:04:58] So, in the history of these sorts of devices – these devices within our devices – is it fair to say that for a long time it was sort of assumed that these devices were trustworthy? That, you know, if the trackpad is within the laptop itself, well, the laptop is going to trust that that trackpad is who and what it says it is?
Rick Altherr: [00:05:20] Correct. And even further, it used to be that often the firmware in these devices was fairly static. It would be programmed in at the factory and it would live that way for the rest of its life. Nowadays, you see that when you go in and do a software update, you know, a Windows update on your laptop or something, you'll see firmware updates be delivered. Or if you go to your manufacturer's website, you'll see firmware updates. And these are because the firmware has gotten more complicated over time and now has bug fixes that are relevant. Well, if you have a firmware update mechanism, that means that the host processor – the system running Windows – actually can replace the firmware on these peripheral devices. And so that's what changes the scope of – if there are mechanisms for doing that updating, then we need to be careful about what updates we accept to make sure that the devices are not being compromised in some way.
Dave Bittner: [00:06:12] And that's where the signing comes into play.
Rick Altherr: [00:06:15] Exactly.
Dave Bittner: [00:06:16] So, again, with the ability for these devices to be updated sort of on the fly, what opportunities did that open up in terms of bad actors taking advantage of this capability within the machine?
Rick Altherr: [00:06:31] It varies a lot from device to device as to what capabilities you can gain. One way to think of it is, if I'm a malicious actor and I can replace the firmware in this device, the simplest case is to emulate the existing device. So, for example, if I'm compromising the firmware in a trackpad, because it's a trackpad, I can easily emulate the behavior of a trackpad. I can essentially have the firmware move the mouse cursor all on its own without your finger actually touching the trackpad. And you might say, well, what good does that do? – you can, you know, move it around to make an annoyance...
Dave Bittner: [00:07:04] (Laughs)
Rick Altherr: [00:07:05] ...Well, you can also get a little bit more complicated – and by complicated, I mean sophisticated, I guess, in this case, they kind of go hand-in-hand here. But if I can move the mouse cursor around, I can use that same mechanism to interact with the host system, to emulate other aspects of that device. And I can do so in a very rapid fashion. So, I could do things like move the mouse cursor to the bottom left corner of the screen where I know the start button always is. And because I know where that is, now I can, you know, click and work through the start menu in a very fast fashion.
Rick Altherr: [00:07:39] I can also look at how the device is connected to the host system. In the case of a lot of trackpads or mice or other pointing or human interface-type devices, they use what's called a "HID" interface, or a human interface device. And that is used for both keyboard and mice. Well, if the trackpad already acts as a HID device, I can perhaps emulate not only a mouse or trackpad, but also emulate a keyboard at the same time. So now I have the capability of moving the mouse pointer and typing, which then opens the case of, well, if I could arbitrarily type in things and move the mouse pointer around, then what can I do with that? I can start up and run various commands.
Dave Bittner: [00:08:23] Hmm. Now, what about other bits of hardware within the system? I mean, I can imagine things like your Ethernet interface or your Wi-Fi. That would be an attractive target.
Rick Altherr: [00:08:34] Yeah. This is why we started surveying the different types of devices. And in fact, one of our examples is a Wi-Fi adapter. In this case, the Wi-Fi adapter starts up with sort of a minimalistic firmware, or a baseline firmware. And then the device driver from Windows actually is responsible for loading the firmware once the operating system has started up – it updates the firmware to match the device driver. But this means that now I have potential control of the actual network interface. So now I can be in the data path of every bit of traffic going in and out of your computer.
Dave Bittner: [00:09:10] Now, as you mentioned, this sort of vulnerability has been known for several years now. Have manufacturers been adapting to this? Are you seeing more and more examples of them signing the firmware?
Rick Altherr: [00:09:25] It depends on the space. Certainly when you look at laptops and systems that are designed for use in sort of enterprise businesses, there's more effort put into that situation. You'll see signing applied to the main system firmware, and you'll see things like Boot Guard and BIOS Guard being rolled out by Intel and picked up by the manufacturers.
Rick Altherr: [00:09:49] But when you move to the peripheral components like trackpads, et cetera, if you look at how systems are designed and built by the manufacturer, the trackpad is not something that the manufacturer of your laptop builds themselves. They contract that out – you know, they purchase a pre-built module from someone or they contract that out. And so, those other suppliers often are using that same design to multiple of their customers, which means that multiple laptops in the market are going to have the same core component. It may look slightly different, but it's ultimately running very similar or the same firmware. And those suppliers are the ones that are most concerning, and what we found where the least advancement had been made in terms of putting protections in for their firmware.
Rick Altherr: [00:10:36] So, now we have things like a trackpad or a Wi-Fi adapter that is used in a variety of devices from a variety of manufacturers that all have the same flaw in them. And when I go to each of those manufacturers and say, by the way, your laptop contains this device that has this problem, they have to go work with that supplier to actually develop a fix. Now, this relationship is an indirect relationship between the end user, who cares about security, and the supplier, who actually manufacturers that component of the system. It has to pass through this intermediary, and there's just a whole bunch of business dynamics that come into play as to, are the computer manufacturers specifying that signed firmware is a requirement for these devices? And what we find is that in some cases they have been, but it has to actually be a majority of the computer manufacturers requesting that for a supplier to really invest in and do the work to do it properly.
Dave Bittner: [00:11:38] Well, take us through some of the specific examples here from your research. What are some of the devices that you all explored?
Rick Altherr: [00:11:44] Well, we've talked about a lot about the trackpad and TrackPoint firmware. So, that was certainly a case where we looked at and were able to verify that, in fact, you could modify the firmware and the device would still load it properly. Another case was actually the built-in web camera used in a variety of HP consumer-level laptops. And so, in this case, I personally looked in that firmware and saw that there were descriptors like strings that show up – you know, descriptive text about the device. And so I modified that just to see what would happen. And sure enough, the device accepted it and it would show up in device manager with the altered text. So, you know, this is another case where a device that's built right into the system can easily be modified.
Rick Altherr: [00:12:28] We've also talked about the Wi-Fi adapter where we were able to verify the same thing. One interesting aspects of that mechanism, where the device driver is responsible for loading the firmware, is that the device driver itself is signed. And we talk about this in detail, that Windows has a signing mechanism and verifies the device driver before it loads it. But when the device driver then goes to load the firmware, it's the responsibility of the device driver author, which is usually that vendor, to actually do the correct checks. Windows does not help you in this way. And so there's this belief that, oh, well, the device driver was signed, and so therefore, everything is OK. That's not necessarily true. And we get into some of the details of how you can check individual device drivers for this. But ultimately, it means you can tamper with the firmware, even though Windows says, yes, it's using a signed device driver because the firmware is still modified.
Rick Altherr: [00:13:28] And probably the most interesting case that we looked at was actually in a network chipset that's used – an Ethernet chipset that's used commonly in servers. And why this was particularly interesting is that servers often have a separate management processor called a "BMC" that lets you interact with the system and do things like turn the power on and off, or reset the system, or control the keyboard and mouse. And this is really useful for IT administrative functionality, but it's usually treated as a separate security domain from the actual computer that it controls.
Rick Altherr: [00:14:05] So, the idea is that I have a server that's racked in a data center somewhere. The people that are using that system – who are responsible for maintaining the operating system and applications on that system – are one set of security controls. They control the operating system and everything below that. The BMC is then controlled by your IT staff to take care of the system if something were to break such that it wasn't booting anymore, or things of that nature. Due to the way that these systems are implemented, the network traffic from both the BMC and the main operating system come together inside of the network interface chip. And it turned out that the way that this was implemented meant that the firmware was actually responsible for enforcing that separation of privileges. So once we were able to replace the firmware with our own firmware, we could actually snoop on the management traffic from the operating system. And that shouldn't actually be possible. In fact, it violates that security boundary and opens up a lot of potential for doing much more in-depth attacks.
Dave Bittner: [00:15:13] Now, the research that you all have been doing here, exploring these different devices, have you been tracking any examples of this being used out in the wild? Are these active exploits?
Rick Altherr: [00:15:26] So, often, in the wild, examples of these are – require a sophistication enough that they're very targeted. It's sort of – if you are an attacker, you're going to invest a lot of time and energy to develop such an attack, and so you're only going to use that in situations where you need it or where it's very advantageous to you. And so that means this tends to target very specific cases and come from specific threat actors. That's a long-winded way of saying your average business isn't going to see this kind of attack in the wild. And when we do see an attack in the wild – like the Equation Group attacks that were revealed five years ago – they're very specialized and focused on a particular type of hardware and a particular attack target.
Rick Altherr: [00:16:10] That said, there are multiple examples over the years of where this is becoming more prevalent, that the main advantage you get from infecting firmware this way is a level of persistence. Even if you replace the hard drive and reinstall the operating system, the infected firmware is still there. And in fact, that's exactly what the Equation Group hard-drive firmware attack did, was it used the hard-drive firmware as a launching point for reinfecting the operating system. Then we also see these types of attacks being used in other areas in some of the attacks against power grids and various other places. They'll be specific, focused exploits against certain types of devices, either to cause that specific device to misbehave or to use that as a persistence and jumping point for other types of attacks.
Dave Bittner: [00:16:58] Now, your research points out that this is an issue with many Windows and Linux devices. Apple seems to be taking additional steps to protect themselves against this?
Rick Altherr: [00:17:11] So, Apple does a variety of things in their system to take additional protection steps – so, things like the T2 security chips and those types of things. That said, looking at the devices in their system, they also use a lot of the same off-the-shelf type equipment. So, the Wi-Fi chipsets that they use would actually be also used in other systems. We did not do an extensive look at Apple systems, nor did we look at components that happened to be used in those systems. My experience says that every machine I have looked at has at least one vulnerable component.
Rick Altherr: [00:17:48] So, what are the take-homes here? In terms of the level of concern folks should have and the mitigations they should put in place, what are your recommendations?
Rick Altherr: [00:17:57] Well, one aspect is if there is a vulnerability in your firmware, the mitigations are going to come through a firmware update for that device. So get a little bit more in the habit of staying up-to-date on, do I have the latest firmware for my device? In the past, that used to be only update your firmware if you're experiencing a problem. Nowadays, it's – there may actually be security issues that require a firmware update, and so, keeping up-to-date on your software patches, both from the operating system level as well as your firmware helps keep you up-to-date with the latest in what vulnerabilities are there and what mitigations have been put in place.
Rick Altherr: [00:18:35] Then the other thing is to really, as a purchaser or a consumer of these devices, starting to ask your manufacturers of your devices – when you're in a position to – about the security features that they have. Especially when you're talking about enterprises and you're thinking about your refresh of your components and you're evaluating which machines to purchase, include in your rubric, do you use signed firmware on all your peripherals? You know, ask that question. And that starts to drive home that this is actually an important thing for consumers and hopefully builds up that impact through the manufacturers, down to the suppliers to implement those protections down all the way at the peripherals.
Dave Bittner: [00:19:20] Our thanks to Rick Altherr from Eclypsium for joining us. The research is titled "Perilous Peripherals: The Hidden Dangers Inside Windows and Linux Computers." We'll have a link in the show notes.
Dave Bittner: [00:19:31] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:19:40] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:19:47] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.