"ReVault" firmware flaws allow persistent access in Dell laptops

Researchers at Cisco's Talos Intelligence have uncovered a vulnerability chain in security hardware used by IT maker Dell, which can be used by attackers to maintain persistent access even after operating system reinstallation.

Opened Dell Latitude with USH board highlighted.
Talos Intelligence

The five critical vulnerabilities were named "ReVault" by Talos, and are found in Broadcom's ControlVault3 firmware, as well as associated Windows application programming interfaces (APIs) on a range of Dell business laptops.

Dell has confirmed the flaws, and issued a security update for the affected products.

ControlVault offers hardware-based security and is used to store passwords, biometrics and security codes.

It stores the sensitive data on a separate circuit board in laptops, called the unified security hub (USH). 

In turn, the USH technology is used in conjunction with smartcard readers and fingerprint scanners, as well as near field communications (NFC) devices.

Ironically enough, USH - which is used for heightened login security by users in sensitive industries - has turned out to be a weak link in the defence chain, potentally allowing for undetectable malicious implants on laptops.

Talos researcher Philippe Laulheret found that attackers who gained initial system access can exploit the vulnerabilities to establish persistent and permanent access on the devices.

In one scenario, compromised ControlVault firmware could leak cryptographic keys for device security.

If an attacker can extract the keys, this can allow for firmware modification, creating the possibility of permanent access that survives a complete clean operating system reinstallation, Talos noted.

Physical access to laptops, left, for example, in hotel rooms by visitors, add to the risk.

Attackers can open up laptop chassis and connect directly to the USH with universal serial bus (USB) custom connectors.

Doing so bypassess physical security completely, rendering full-disk encryption passwords vulnerable along with system credentials.

Tampering with the firmware can also be used by attackers to make fingerprint sensors accept any print, rather than ones belonging to legitimately enrolled users.

Over 100 actively supported Dell laptop models, mainly from the business-oriented Latitude and Precision ranges, are vulnerable to the ReVault flaw.

Talos advised administrators to prioritise firmware updates to reduce exposure to ReVault.

If biometric or smartcard authentication is not required, ControlVault services can be disabled through the Windows Service Manager built into the Microsoft operating system.