Security News > 2020 > February > What do a Lenovo touch pad, an HP camera and Dell Wi-Fi have in common? They'll swallow any old firmware, legit or saddled with malware

What do a Lenovo touch pad, an HP camera and Dell Wi-Fi have in common? They'll swallow any old firmware, legit or saddled with malware
2020-02-19 08:02

Eclypsium said on Monday that, despite years of warnings from experts - and examples of rare in-the-wild attacks, such as the NSA's hard drive implant - devices continue to accept unsigned firmware.

The infosec biz said a miscreant able to alter the firmware on a system - such as by intercepting or vandalizing firmware downloads, or meddling with a device using malware or as a rogue user - can do so to insert backdoors and spyware undetected, due to the lack of cryptographic checks and validations of the low-level software.

"Eclypsium found unsigned firmware in Wi-Fi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers," the firm explained.

"Lenovo devices perform on-peripheral device firmware signature validation where technically possible. Lenovo is actively encouraging its suppliers to implement the same approach and is working closely with them to help address the issue."

HP added: "HP constantly monitors the security landscape and we value the work of Eclypsium and others to help identify new potential threats. We have published recommended mitigations for their latest report here. We advise customers to only install firmware updates from hp.com and the Microsoft Windows Update service, and to always avoid untrusted sources." .


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/19/unsigned_firmware_security/