What do a Lenovo touch pad, an HP camera and Dell Wi-Fi have in common? They'll swallow any old firmware, legit or saddled with malware

What do a Lenovo touch pad, an HP camera and Dell Wi-Fi have in common? They'll swallow any old firmware, legit or saddled with malware

2020-02-19 08:02

Eclypsium said on Monday that, despite years of warnings from experts - and examples of rare in-the-wild attacks, such as the NSA's hard drive implant - devices continue to accept unsigned firmware.

The infosec biz said a miscreant able to alter the firmware on a system - such as by intercepting or vandalizing firmware downloads, or meddling with a device using malware or as a rogue user - can do so to insert backdoors and spyware undetected, due to the lack of cryptographic checks and validations of the low-level software.

"Eclypsium found unsigned firmware in Wi-Fi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers," the firm explained.

"Lenovo devices perform on-peripheral device firmware signature validation where technically possible. Lenovo is actively encouraging its suppliers to implement the same approach and is working closely with them to help address the issue."

HP added: "HP constantly monitors the security landscape and we value the work of Eclypsium and others to help identify new potential threats. We have published recommended mitigations for their latest report here. We advise customers to only install firmware updates from hp.com and the Microsoft Windows Update service, and to always avoid untrusted sources." .

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/19/unsigned_firmware_security/

#dell #firmware #HP #lenovo #malware #wifi

Related vendor

VENDOR	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
HP	8961	143	737	509	667	2056
Dell	1650	96	430	286	92	904
Lenovo	3010	32	208	111	16	367