Lack of firmware validation for computer peripherals enables highly persistent attacks
Security researchers have warned for many years that failure to digitally sign and validate the low-level firmware found in computers can lead to damaging compromises that are very hard to detect and fix. While the computer industry has made some progress in this area, especially when it comes to the Unified Extensible Firmware Interface (UEFI) in modern computers, new research shows that many peripheral manufacturers have not adopted modern firmware validation principles.
Researchers from security firm Eclypsium have found computer components with unsigned firmware or improper signature validation in laptops from major manufacturers, as well as in servers. The identified devices included a network interface chipset widely used in servers, a common laptop WiFi adapter, a trackpad, a full HD camera and an internal USB hub.