Firmware Exploitation



So, I understand how general exploitation works. For instance, a stack overflow. However, I don’t understand how it’s possible to directly write to firmware within a device.

For those in the cyber security field, we know how easy it is to launch someone’s webcam on their mobile device or laptop remotely using metasploit; however, this can be taken a step further. It’s known that webcams generally turn on a light when the webcam is enabled. It’s also known that there are exploits that “rewrite” firmware to disable this feature. How is this possible, especially without physical access? Can it be done with a script?

In: Technology

Depends on the firmware already installed on the webcam, particularly whether it has a bootloader that allows for firmware updates, and then on how strong any protection measures(e.g. signature verification) are.

Though it is possible to design the hardware such that this particular issue can’t happen, by powering the image sensor from the same source that powers the “camera active” LED.

It’s also possible to break or omit the part of the firmware responsible for updating the firmware, so that you’d need physical access and a programming device to re-flash the firmware.

It can be done, although because it is relatively technically difficult and because it is beyond the needs of most hackers, it remains relatively rare. Even hackers with the ability to deploy it tend to so so selectively.

However, it is entirely possible. Software needs to interface with firmware on hardware. Any interaction invites manipulation. This is made easier by the fact that with few exceptions there is no crypographic signing for firmware – effectively a signature enabling the software to check the firmware is legit. Antivirus software does not check firmware. Once infected, any malware is unlikely to be removed.

Added to this is the fact that hardware manufacturers clients are overwhelmingly manufacturers, not end users. Manufacturers want components that are easy to work with – and firmware increased security tends to make that more difficult.

Obscurity doesn’t work forever and inevitably as the sheer volume of firmware-controlled devices gets connected to the internet such attacks will increase.

You said We, as if you’re in cyber security, but you don’t know how to write to firmware?

Firmware used to be dumb. It was just a bunch of settings, basic glue to hold together the system for the OS to use. But with UEFI, firmware has become smart, basically small operating systems on their own, and with their own security flaws. If it’s an OS, it can be exploited. For example, with UEFI, I can go over the network to a computer that is off (power applied but not booted) and issue commands to the UEFI.