Researchers have known for years on security issues with the basic computer code known as firmware. It’s often riddled with vulnerabilities, it is difficult to update with fixes, and it is increasingly the target of real-world attacks. Now, a well-intentioned mechanism for easily updating firmware on Dell computers is itself vulnerable to four rudimentary bugs. And these vulnerabilities could be exploited to gain full access to target devices.
the new discoveries researchers from security firm Eclypsium affect 128 recent models of Dell computers, including desktops, laptops and tablets. Researchers estimate that the vulnerabilities expose a total of 30 million devices, and the exploits even work in models that incorporate Microsoft’s secure PC protections, a specially designed system to reduce the vulnerability of the firmware. Dell is releasing fixes for the defects today.
“These vulnerabilities are in easy to exploit mode. It’s basically like time traveling, it’s almost like the 90s, ”says Jesse Michael, senior analyst at Eclypsium. “The industry has reached all this maturity of security features in code at the application and operating system level, but they are not following best practices in new firmware security features.
The vulnerabilities appear in a Dell feature called BIOSConnect, which allows users to easily, and even automatically, download firmware updates. BIOSConnect is part of a larger Dell update and remote operating system management feature called SupportAssist, which has had its own share of potentially problematic vulnerabilities. The update mechanisms are precious targets for attackers because they can be corrupted to spread malware.
The four vulnerabilities discovered by researchers in BIOSConnect would not allow hackers to distribute malicious Dell firmware updates to all users at once. They could, however, be exploited to individually target victims’ devices and easily gain remote control of the firmware. Compromising a device’s firmware can give attackers full control of the machine, as the firmware coordinates hardware and software and runs as a precursor to the computer’s operating system and applications.
“This is an attack that allows an attacker to directly access the BIOS,” the fundamental firmware used in the boot process, explains Eclypsium researcher Scott Scheferman. “Before the operating system even starts up and knows what’s going on, the attack has already taken place. It’s an elusive, powerful, and desirable set of vulnerabilities for an attacker who wants persistence.
An important caveat is that attackers could not directly exploit the four BIOSConnect bugs from the open Internet. They must have an anchor point in the internal network of the victim devices. But the researchers point out that the ease of operation and lack of firmware-level monitoring or logging would make these vulnerabilities attractive to hackers. Once an attacker compromises the firmware, it can likely go undetected in a target’s networks for the long term.
Eclypsium researchers disclosed the vulnerabilities to Dell on March 3. They will present the results at the Defcon Security Conference in Las Vegas in early August.
“Dell has corrected several vulnerabilities for the Dell BIOSConnect and HTTPS Boot features available with certain Dell client platforms,” the company said in a statement. “Features will be automatically updated if customers have Dell Automatic Updates Enabled. “If not, the company says customers should manually install patches” as soon as possible. “
Eclypsium researchers warn, however, that this is an update that you may not want to download automatically. Since BIOSConnect itself is the vulnerable mechanism, the safest way to get updates is to navigate to Dell Drivers and Downloads website and manually download and install updates from there. For the average user, however, the best approach is to simply update your Dell as much as you can, as quickly as possible.