A security company has found hardware vulnerabilities that, if cracked, can give hackers control over systems.
The vulnerability, disclosed by Binarly Research, allows an attacker to gain control of the system by modifying a variable in non-volatile memory, which stores data permanently, even when a system is turned off.
The modified variable will compromise the secure boot phase of a system, and an attacker can gain persistent access to compromised systems once the exploit is in place, said Alex Matrosov, the founder and CEO of Binarly, which offers open source tools to detect firmware vulnerabilities.
“Basically, the attacker can manipulate variables from the operating system level,” Matrosov said.
Firmware Vulnerability Opens the Door
Secure boot is a system deployed in most PCs and servers to ensure that devices start properly. Hackers can take control of the system if the boot process is either bypassed or under their control.
But in order to manipulate the variables, a user would need privileged access to the system. Users may need to have administrator access to Linux or Windows systems. The malicious code executes before the operating system is loaded.
“The firmware piece is important because the attacker can gain very, very interesting persistence capabilities, so they can play for the long term on the device,” Matrosov said.
The vulnerability is like leaving a door open — a hacker can gain access to system resources as and when they please when the system is switched on, Matrosov said.
The vulnerability is notable because it affects processors based on the ARM architecture, which are used in PCs, servers, and mobile devices. A number of security problems have been discovered on x86 chips from Intel and AMD, but Matrosov noted that this disclosure is an early indicator of security flaws existing in ARM chip designs.
Qualcomm Warns About Snapdragon
The problem springs from a vulnerability affecting Qualcomm’s Snapdragon chipsets, which the chip company disclosed on Jan. 5.
Qualcomm’s Snapdragon chips are used in laptops and mobile devices. The vulnerabilities could affect a wide range of those devices using Unified Extensible Firmware Interface (UEFI) firmware with Snapdragon chips. A few devices, including PCs from Lenovo and Microsoft, have already been identified.
Lenovo in a security bulletin issued last week said that the vulnerability affected the BIOS of the ThinkPad X13s laptop, which is based on Qualcomm’s Snapdragon chipset. The company has issued a BIOS update to patch the vulnerability.
Microsoft’s Windows Dev Kit 2023, which is code-named Project Volterra, is also impacted by the vulnerability, Binarly said in a research note. Project Volterra is designed for programmers to write and test code for the Windows 11 operating system. Microsoft is using the Project Volterra device to lure conventional x86 Windows developers into the ARM software ecosystem, and the device’s release was a top announcement at Microsoft’s Build and ARM’s DevSummit conferences last year.
Mobile Devices Are Affected, Too
The Meltdown and Spectre vulnerabilities largely affected x86 chips in server and PC infrastructures. But the discovery of vulnerabilities in ARM’s boot layer is particularly concerning because the architecture is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. The base stations are increasingly at the center of communications for edge devices and cloud infrastructures. Attackers could behave like operators, and they will have persistence at base stations and nobody will know, Matrosov said.
System administrators need to prioritize patching firmware flaws by understanding the risk to their company and addressing it quickly, he said.
“Not every company has policies to deliver firmware fixes to their devices. I have worked for large companies in the past, and before I started my own company, none of them — even these hardware-related companies — had an internal policy to update the firmware on employee laptops and devices. This is not right,” Matrosov said.
Firmware developers also need to develop a security-first mindset, he said. Many PCs today boot based on specifications provided by UEFI Forum, which provides the hooks for the software and hardware to interact.
“We found that OpenSSL, which is used in UEFI firmware — it’s in the ARM version — is very outdated. As an example, one of the major TPM providers called Infineon, they use an eight-year-old OpenSSL version,” Matrosov said.