Thursday, June 24, 2021

Far be it for me to say I told you so... but ...

So, anyway, our colleages at Eclypsium recently announced some bugs they found in Dell BiosConnect which could allow attackers to remotely implant code in firmware. You can read about it here.

Dell has apparently released firmware upgrades which fix the bugs, and it is not thought to be under active attack, so all should be well, but there are still two problems.

The first is that people tend to not be good at applying firmware updates. Unlike the monthly OS patches, there is rarely a mechanism for letting folks know they have a firmware patch to apply, and even if there is a patch, most people are not good at flashing firmware. As an example, we routinely still see Lenovo firmware that has the so-called "Lenovo rootkit" (which, btw, ain't that different from BiosConnect) from 2015 in it, and it should have been extinct since 2016.

The second problem is, who knows how many other problems like this exist? Another six, (at least) manufacturers have firmware with similar capabilties to BiosConnect, and no one knows who has similar problems. Maybe none. Maybe some. I guess time will tell.

Oh, and functionality keeps getting added. When I blogged about BiosConnect well over a year ago, one thing I noticed was that this particular firmware upgrade moved from 8 mb to 16 mb, and the number of programs in it grew from 320 to 575, and we now routinely see firmware (not just Dell) with nearly 1,000 executables. That's a lot of extra functionality, and therefore a lot of potential vulnerabilities.

As I recently wrote, you cannot protect your organization properly if you don't know what's in your firmware, especially the upgrades. We have recently done some "before and after" comparisons, that are highly instructive, and hopefully I'll get to disclose them here soon.

And, if you would like some help in checking your firmware, please feel free to reach us at labs at

So, far be it for me to say I told you so, but ... I told you so... This stuff is coming.

No comments: