Researchers have known for years about security issues with fundamental computer code known as firmware. It is often riddled with vulnerabilities, difficult to update with patches, and increasingly the target of attacks in the real world. Now, a well-intentioned mechanism for easily updating firmware on Dell computers is itself vulnerable to four rudimentary bugs. And these vulnerabilities could be exploited to gain full access to target devices.
The new findings from researchers at security firm Eclypsium relate to 128 recent models of Dell computers, including desktops, laptops and tablets. Researchers estimate that the vulnerabilities expose a total of 30 million devices, and the exploits even work in models that incorporate Microsoft’s Secure PC Protections, a system specially designed to reduce firmware vulnerability. Dell is releasing fixes for the defects today.
“These vulnerabilities are in an easy to exploit fashion. It’s basically like time traveling – it’s almost like the ’90s again,” said Jesse Michael, senior analyst at Eclypsium. “The industry has reached all this maturity in security features in code at the application and operating system level, but they are not following best practices in new firmware security features.”
The vulnerabilities appear in a Dell feature called BIOSConnect, which allows users to easily, and even automatically, download firmware updates. BIOSConnect is part of a larger Dell update and remote operating system management feature called SupportAssist, which has had its own share of potentially problematic vulnerabilities. Update mechanisms are valuable targets for attackers, as they can be corrupted to spread malware.
The four vulnerabilities discovered by researchers in BIOSConnect would not allow hackers to distribute malicious Dell firmware updates to all users at once. They could, however, be exploited to individually target victims’ devices and easily gain remote control of the firmware. Compromising a device’s firmware can give attackers full control of the machine, as the firmware coordinates hardware and software and runs as a precursor to the computer’s operating system and applications.
“This is an attack that allows an attacker to directly access the BIOS,” the fundamental firmware used in the boot process, explains Scott Scheferman, researcher at Eclypsium. “Before the operating system even starts up and knows what is going on, the attack has already taken place. This is an elusive, powerful, and desirable set of vulnerabilities for an attacker who wants persistence.
An important caveat is that attackers could not directly exploit the four BIOSConnect bugs from the open Internet. They must have an anchor point in the internal network of the victim devices. But the researchers point out that the ease of operation and lack of firmware-level monitoring or logging would make these vulnerabilities attractive to hackers. Once an attacker compromises the firmware, it can likely go undetected in a target’s networks for the long term.
Eclypsium researchers disclosed the vulnerabilities to Dell on March 3. They will present the results at the Defcon Security Conference in Las Vegas in early August.
“Dell has fixed several vulnerabilities for the Dell BIOSConnect and HTTPS Boot features available with certain Dell client platforms,” the company said in a statement. “Features will be automatically updated if customers have enabled Dell Automatic Updates.” If not, the company says customers should manually install patches “as soon as possible.”
Eclypsium researchers warn, however, that this is an update that you may not want to download automatically. Since BIOSConnect itself is the vulnerable mechanism, the safest way to get updates is to navigate to Dell’s drivers and downloads website and manually download and install the updates. from there. For the average user, however, the best approach is to simply update your Dell as much as you can, as quickly as possible.
“We are seeing these relatively simple bugs, like logic flaws, popping up in the new space of firmware security,” said Michael of Eclypsium. “You believe this house was built securely, but it actually sits on a sandy foundation.”
After going through a number of nightmarish attack scenarios due to firmware insecurity, Michael takes a breath. “Sorry,” he said. “I can complain about this a lot.”
This story originally appeared on wired.com.