Five years after the Equation Group HDD hacks, firmware security still sucks

Device manufacturers are not forcing driver signatures at all times.
Written by Catalin Cimpanu, Contributor

In a report published today, Eclypsium, a cyber-security firm specialized in firmware security, says that the issue of unsigned firmware is still a widespread problem among device and peripheral manufactures.

According to researchers, many device makers still don't sign the firmware they ship for their components. Furthermore, even if they sign a device's firmware, they don't enforce checks for the firmware signature every time the driver/firmware is loaded, but only during installation.

Researchers say this leaves the door open for malicious actors to tamper with local firmware after it's been installed in order to plant persistent and nearly invisible malware on user devices.

To prove their point, in their report, the Eclypsium team disclosed vulnerabilities in four types of peripheral firmware -- for touchpads/trackpads, cameras, WiFi adapters, and USB hubs.

"Apple performs signature verification on all files in a driver package, including firmware, each time before they are loaded into the device, to mitigate this type of attack," the Eclypsium team said.

"In contrast, Windows and Linux only perform this type of verification when the package is initially installed."

But while some might be quick to blame the operating systems for not enforcing a stricter firmware signing practice, the Eclypsium team is not on this boat.

"Ultimately, the device itself needs to perform the signature verification before allowing the firmware update rather than depending on the operating system to perform this task," they say.

Device makers forgot about the Equation Group

The reason why device manufacturers aren't doing this is because of laziness, indifference, or because they don't feel they or their customers are under any threat.

However, when pressed, device makers are more than capable of enforcing strict driver/firmware signatures.

Exactly something like this has happened before. In 2015, security researchers from Kaspersky discovered a novel type of malware that nobody else had seen before until then.

The malware, known as NLS_933.dll, had the ability to rewrite HDD firmware for a dozen of HDD brands to plant persistent backdoors. Kaspersky said the malware was used in attacks against systems all over the world.

Kaspersky researchers claimed the malware was developed by a hacker group known as the Equation Group, a codename that was later associated with the US National Security Agency (NSA).

Knowing that the NSA was spying on their customers led many HDD and SSD vendors to improve the security of their firmware, Eclypsium said.

However, five years since the Equation Group's HDD implants were
found in the wild and introduced the hardware industry to the power of firmware hacking, Eclypsium says vendors have only partially addressed this problem.

"After the disclosure of the Equation Group's drive implants, many HDD and SSD vendors made changes to ensure their components would only accept valid firmware. However, many of the other peripheral components have yet to follow suit," researchers said.

Now, Eclypsium is urging the hardware industry to follow on the footsteps of HDD/SSD makers and move to enforce stricter rules for firmware signatures -- namely that signatures are checked every time the firmware is loaded into memory, and not just at install time.

The Mac malware most likely to attack your PC this year

Editorial standards