Five Years After the Equation Group HDD Hacks, Firmware Security Still Sucks

In a report published today, Eclypsium, a cyber-security firm specialized in firmware security, says that the issue of unsigned firmware is still a widespread problem among device and peripheral manufactures. From a report: According to researchers, many device makers still don't sign the firmware they ship for their components. Furthermore, even if they sign a device's firmware, they don't enforce checks for the firmware signature every time the driver/firmware is loaded, but only during installation. Researchers say this leaves the door open for malicious actors to tamper with local firmware after it's been installed in order to plant persistent and nearly invisible malware on user devices. To prove their point, in their report, the Eclypsium team disclosed vulnerabilities in four types of peripheral firmware -- for touchpads/trackpads, cameras, WiFi adapters, and USB hubs. "Apple performs signature verification on all files in a driver package, including firmware, each time before they are loaded into the device, to mitigate this type of attack," the Eclypsium team said. "In contrast, Windows and Linux only perform this type of verification when the package is initially installed." But while some might be quick to blame the operating systems for not enforcing a stricter firmware signing practice, the Eclypsium team is not on this boat.

Read more of this story at Slashdot.

from Slashdot https://ift.tt/2HvY2Um

Share on FacebookPlus on Google+

SUBSCRIBE TO OUR NEWSLETTER