Severe flaws in more than 100 Dell laptop and desktop models could let hackers remotely take over the machines, security researchers revealed today (June 24). Up to 30 million devices may be affected.
The flaws, four in all, have to do with the BIOSConnect function in the Dell SupportAssist tool built into most recent Dell machines. They permit an attacker with access to the local network to modify a machine's startup firmware (commonly called the BIOS) and take complete control.
As the researchers at Portland, Oregon-based Eclypsium put it in their report, "such an attack would enable adversaries to control the device's boot process and subvert the operating system and higher-layer security controls" — total pwnage, in other words.
Two of the flaws were fixed on the Dell-server side in late May and are no longer a threat. Firmware updates for the other two were made available today and can be downloaded and installed from the Dell website.
If this sounds a bit familiar, it's similar to a set of BIOS-update flaws disclosed in Dell machines just about six weeks ago. However, those five flaws appear to involve a different update process than the one revealed today.
Dell told ZDNet that the BIOS firmware updates would be automatically installed as long as users had auto-updates turned on. But given that the flaws are in the BIOSConnect automatic-update process itself, you may want to perform the BIOS update manually.
"We recommend that users not use BIOSConnect to perform this firmware update," the Eclypsium report noted.
Eclypsium specializes in finding firmware and hardware flaws and revealed several such flaws in Dell, HP and Lenovo machines in early 2020.
First, not all Dell machines are vulnerable to these flaws. Dell counts 128 models that are affected, and they're listed in this Dell security advisory.
Second, these steps apply only to machines on which you have full administrative rights. If you're dealing with a machine owned or controlled by your workplace, then let your IT staffers handle this. If someone else in your household has admin rights on your machine, let them handle this.
Third, you may need to turn off BitLocker drive encryption if you're running Windows 10 Pro or Enterprise. (Windows 10 Home machines, found on most consumer models, will not have BitLocker installed.)
Search for "BitLocker" in the search bar in the bottom left corner of the Windows interface, then select "Manage BitLocker" in the search-results page. If the resulting window states that BitLocker is off, then you're all set. If it's on, then suspend BitLocker protection during the driver-update process.
Anyhow, if your Dell machine is on the list of vulnerable machines, or you're not sure which model you have, then follow these steps.
1. Browse to the Dell Drivers & Downloads page.
2. Let the page scan your machine to determine its model, provided Dell SupportAssist has already been installed. Alternately, you can plug in the model number or service tag manually and perform a search.
However, if you don't have Dell SupportAssist installed — you'll be able to tell because the Drivers & Download page will bug you to install it — then you are NOT vulnerable to these four specific flaws and you can rest easy and skip all this.
3. Once the Dell model has been identified, you'll be taken to a model-specific support page that can automatically figure out which drivers you need. You can also manually search for the proper updates by clicking in the Category drop-down menu for BIOS updates.
4. Download the latest BIOS update, then run it. Follow the on-screen instructions to finish the process.
5. You'll probably need to fully reboot the machine for the update to take effect.
Here's a Dell support page with a video walking you through the BIOS update process.
The problem here is, as is so often the case, a matter of convenience trumping security.
The BIOS, or more correctly the UEFI system on modern machines, is low-level firmware that lives on a PC's motherboard and kicks into gear as soon as you press the power button.
The BIOS scans the hard drive or drives to find an operating system, such as Windows, macOS or Linux, that the machine can "boot" into. On most machines, there's only one OS installed and the startup process will continue automatically. If you have more than one OS installed, you can use the BIOS to select the one you want to use, among other things.
BIOS and UEFI firmware is sufficiently complex so that malware can be written for it, and other BIOS modifications can be made to permit unauthorized access to the machine. Since the BIOS/UEFI firmware runs "below" Windows, it's often difficult for Windows programs, such as antivirus software, to detect problems with the BIOS.
Like all firmware, the BIOS firmware needs to be updated from time-to-time, and the Dell BIOS-update steps outlined above may not be that easy for many users to perform manually.
So in order to keep the BIOS on its users' machines up-to-date without having support technicians walk customers through the process, the Dell SupportAssist program has a function called BIOSConnect that automates most of the process. BIOSConnect also lets support techs remotely recover borked machines when they've got customers on the line.
However, each Dell machine has to contact Dell's servers to get the proper BIOS update. And that's where BIOSConnect trips up, because it's too trusting.
The Eclypsium researchers found that BIOSConnect will connect to servers presenting not just certificates belonging to Dell, but to servers presenting any digital verification certificate that conforms to the same format used by Dell.
BIOSConnect will assume that it is connecting to Dell servers, but in fact it could be connecting to a completely different server controlled by an attacker.
That attacker could then send a "poisoned" BIOS update to the Dell machine, such as one that was subtly altered to give the attacker permanent access to the machine over the internet.
The attacker would need to intercept the Dell machine's network traffic via a man-in-the-middle attack in order for this to work. But that's not that difficult to pull off as long as the attacker is on the same local wireless or wired network, such as in an office, hotel, park, coffeeshop or airport waiting lounge.
The Eclypsium researchers plan to reveal the full details of the flaws and the exploit process at the DEF CON hacker conference in August.