Millions of Dell, HP, and Lenovo PCs sitting ducks for firmware attacks

Hands typing on a laptop keyboard.
(Image credit: LightField Studios/Shutterstock)

"Millions" of laptops and desktops made by Dell, HP, Lenovo and other companies are vulnerable to attack, thanks to unsecured firmware used by the webcams, trackpads, USB hubs, Wi-Fi cards and other peripheral devices from third-party suppliers that are built into the PCs.

That's according to a report today (Feb. 18) from Oregon security firm Eclypsium, which said peripheral devices are often sitting ducks for malware that can change their firmware and create a backdoor into the computers. (Computers' own UEFI/BIOS firmware can also be hacked.)

"Once firmware on any of these components is infected using the issues we describe, the malware stays undetected by any software security controls," said the Eclypsium report. "These weaknesses are widespread across components in laptops and servers, offering multiple pathways for malicious attacks."

Unfortunately, many of these firmware issues can't be fixed with updates. And computer makers, peripheral makers and operating-system makers often pass the buck about who should take charge of this issue, leaving computer users naked in the crossfire.

If you're running a vulnerable machine -- and odds are that you are -- then the safest bet is to install and run some of the best antivirus software to try to catch any malware that could try to alter the peripheral firmware. Make sure the antivirus software scans USB drives as soon as they're plugged in.

Computers definitely at risk

Models proven to be vulnerable to these peripheral firmware flaws include: 

  • the Lenovo ThinkPad X1 Carbon (6th Gen) laptop which uses a vulnerable trackpad made by Synaptics that doesn't verify its own firmware updates
  • the HP Spectre x360 Convertible 13-ap0xxx laptop line, whose webcam is made by SunplusIT, also doesn't verify its firmware updates and can be hacked by malicious USB drives
  • and the Dell XPS 15 9560 laptop, whose Wi-Fi card, made by Rivet Networks and provisioned by Qualcomm, accepts unverified firmware updates even though Windows 10 goes through the trouble of verifying the updates before they're loaded. 

What you can, and can't, do about this

Lenovo told Eclypsium that it had no way to fix the trackpad issue in its current laptops. You'll just have to live with vulnerable trackpads. 

HP has created a patch for its webcam vulnerability, which you can download from HP's support website.

As for the Dell Wi-Fi chipset, Eclypsium notified both Microsoft and Qualcomm, who promptly tried to pass the buck to each other. 

Eclypsium dryly noted that "the responsibility remains unclear and as we have seen often goes unaddressed altogether." 

"Unfortunately, the problems posed by unsigned firmware are not easy to fix," Eclypsium said. "If the component wasn't designed to check for signed firmware, it often can't be fixed with a firmware update. 

"In many cases, the underlying problem in a device or product line can't be fixed at all, meaning that all of the devices in that product line will continue to be vulnerable throughout their lifetime."

Just the tip of the iceberg

Of course, those are only the specific models that Eclypsium happened to look at. Dozens, perhaps hundreds of other devices use at least one of those components. For example, our colleagues at Laptop Magazine told us that current Dell XPS 13 laptops use those Wi-Fi cards as well.

"Virtually every component within a device has its own firmware and its own potential for risk, including network adapters, graphics cards, USB devices, cameras, touchpads and trackpads, and more," Eclypsium says in its report. "Peripheral devices often lack the same security best practices that we take for granted in operating systems and in other more visible components, like the UEFI or BIOS." 

"These components have no way to validate that the firmware loaded by the device is authentic and should be trusted," the report adds. "An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run."

The NSA may have already exploited such problems

Weaknesses in peripheral problems aren't just academic. In 2015, Russian antivirus firm Kaspersky disclosed the existence of malware that altered the firmware of computer hard drives, including drives made by IBM, Maxtor, Seagate, Toshiba and Western Digital, allowing the attackers to build silent backdoors into the computers. 

This malware was part of a larger constellation of hacking tools that Kasperksy attributed to the Equation Group, one of several highly skilled, long-running state-sponsored teams developing malicious code. Kaspersky called the hard-drive reprogrammer "perhaps the most powerful tool in the Equation group's arsenal."

"This is an astonishing technical accomplishment and is testament to the group's abilities," Kaspersky added in its 2015 report.

Kaspersky has a policy of never attributing malware to a specific nation, but the Equation Group is widely believed to be working for, or to be an active part of, the U.S. National Security Agency.

"After the disclosure of the Equation Group's drive implants, many HDD and SSD vendors made changes to ensure their components would only accept valid firmware," Eclypsium says in today's report. "However, many of the other peripheral components have yet to follow suit."

Who's going to own this problem?

Microsoft can harden Windows, and Linux developers can harden Linux, against malware all they can, but operating-system improvements won't do much to stop other lines of attack through the hundreds of third-party peripherals built into laptops and desktops. 

The question is who should take responsibility -- the peripheral makers, the makers of the computers that buy and use the peripherals, or the OS makers? Eclypsium doesn't have the answer, but it puts the blame with the peripheral makers.

"Peripheral manufacturers have been slow to adopt the practice of signing firmware," the report notes, "leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware."

Macs are immune

Notice that Eclypsium doesn't mention Macs. That's because, according to the report, "Apple performs signature verification on all files in a driver package, including firmware, each time before they are loaded into the device, to mitigate this type of attack."

"In contrast," the report adds, "Windows and Linux only perform this type of verification when the package is initially installed."

There's a simple explanation for this security gap: Apple makes both its hardware and software and has a vested interest in making sure they complement each other perfectly. 

But Microsoft makes only a few devices running Windows, and Linux coders and distributors generally make no hardware at all. Both those OS's have to run on thousands of different hardware configurations and can't be expected to secure the firmware on just as many potential peripherals.

Someone needs to step up

Eclypsium hints that maybe the computer makers should take over where the peripheral makers slack off.

"Ultimately, the device itself needs to perform the signature verification before allowing the firmware update rather than depending on the operating system to perform this task," the report states.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.