Researchers have known for years on security issues with fundamental computer code known as firmware. It is often riddled with vulnerabilities, difficult to update with patches, and increasingly the target of attacks in the real world. Now, a well-intentioned mechanism for easily updating firmware on Dell computers is itself vulnerable to four rudimentary bugs. And these vulnerabilities could be exploited to gain full access to target devices.
New findings from researchers at security firm Eclypsium impact 128 recent models of Dell computers, including desktops, laptops and tablets. Researchers estimate that the vulnerabilities expose a total of 30 million devices, and the exploits even work in models that incorporate Microsoft’s Secure PC Protections, a system specially designed to reduce firmware vulnerability. Dell is releasing fixes for the defects today.
âThese vulnerabilities are in easy to exploit mode. It’s basically like time traveling, it’s almost like the 90s again, âsays Jesse Michael, senior analyst at Eclypsium. âThe industry has reached all this maturity of security features in code at the application and operating system level, but they are not following best practices for new firmware security features. “
The vulnerabilities appear in a Dell feature called BIOSConnect, which allows users to easily, and even automatically, download firmware updates. BIOSConnect is part of a larger Dell update and remote operating system management feature called SupportAssist, which has had its own share of potentially problematic vulnerabilities. Update mechanisms are valuable targets for attackers, as they can be corrupted to spread malware.
The four vulnerabilities discovered by researchers in BIOSConnect would not allow hackers to distribute malicious Dell firmware updates to all users at once. They could, however, be exploited to individually target victims’ devices and easily gain remote control of the firmware. Compromising a device’s firmware can give attackers full control of the machine, as the firmware coordinates hardware and software and runs as a precursor to the computer’s operating system and applications.
“This is an attack that allows an attacker to gain direct access to the BIOS,” the fundamental firmware used in the boot process, explains Eclypsium researcher Scott Scheferman. âBefore the operating system even starts up and knows what’s going on, the attack has already taken place. It’s an elusive, powerful, and desirable set of vulnerabilities for an attacker who wants persistence.
An important caveat is that attackers could not directly exploit the four BIOSConnect bugs from the open Internet. They must have an anchor point in the internal network of the victim devices. But the researchers point out that the ease of operation and lack of firmware-level monitoring or logging would make these vulnerabilities attractive to hackers. Once an attacker compromises the firmware, it can likely go undetected in a target’s networks for the long term.
Eclypsium researchers disclosed the vulnerabilities to Dell on March 3. They will present the results at the Defcon Security Conference in Las Vegas in early August.
“Dell has fixed several vulnerabilities for the Dell BIOSConnect and HTTPS Boot features available with certain Dell client platforms,” ââthe company said in a statement. “Features will be automatically updated if customers have enabled Dell Automatic Updates.” If not, the company says customers should manually install patches “as soon as possible.”
Eclypsium researchers warn, however, that this is an update that you may not want to download automatically. Since BIOSConnect itself is the vulnerable mechanism, the safest way to get updates is to go to Dell’s drivers and downloads website and manually download and install updates from there. go from there. For the average user, however, the best approach is to simply update your Dell as quickly as possible.