Cisco Talos has disclosed five serious vulnerabilities in the Dell ControlVault3 firmware and associated Windows APIs. Collectively named ReVault, the vulnerabilities pose a real threat to more than 100 models of Dell laptops – often used in environments with heightened security requirements.
What is Dell ControlVault?
Dell ControlVault3 (and the newer ControlVault3+ version) is the hardware solution responsible for storing sensitive login data: passwords, fingerprints, biometric templates or security codes. Instead of being stored in the operating system, this data goes into a dedicated chip on a board called the Unified Security Hub (USH), connected to a fingerprint reader, smart card or NFC module.
The solution is used in more than 100 models of Dell laptops – mainly in the Latitude, Precision and Rugged series – often used in sectors such as public administration, the financial sector or critical infrastructure.
How does the ReVault attack work?
ReVault is not just a collection of software vulnerabilities. It’s also a potential way to take full control of a computer – whether the attacker acts remotely or has physical access to the device. Here are two possible scenarios that show the scale of the risk:
- Actions after taking control of the hardware
On Windows, even a user without administrator rights can – using the available APIs – establish communication with the ControlVault firmware and run arbitrary code in it. This makes it possible, among other things, to steal cryptographic keys and permanently modify the firmware. As a result, it is possible to install a so-called implant – malicious code hidden in the firmware, which can remain invisible and can be used later to attack again, even after reinstalling the system. - Physical attack on hardware
Physical access to a laptop is all that is needed to connect to a Unified Security Hub (USH) board via USB and launch an attack – without the need to know the password, PIN or disk encryption key. Additionally, if the system is configured for fingerprint login, the modified firmware can accept any fingerprint, allowing unauthorised access to the system.
How to mitigate risk?
- Software update:
The most effective method of protection is to install the latest firmware versions. Dell makes these available first on its website and, over time, also via Windows Update. Dell has already released updates, the installation of which solves the problem. - Disabling unused components:
If biometric devices (fingerprint reader, NFC card, smart card) are not used, it is a good idea to disable the relevant services in the Windows Services and Devices Manager. - Changing login settings:
Inhigh-risk environments such as hotels, shared spaces or business travel, it is recommended to temporarily disable biometric logins. You may also consider activating the Enhanced Sign-in Security (ESS) feature available in Windows.
How to detect a potential security breach?
- Physical tampering detection:
On many Dell laptop models, case opening detection can be enabled in the BIOS. The system will inform the user of a possible physical intrusion. - System log monitoring:
Unexpected failures of services, such as Windows Biometric Service or Credential Vault, may suggest an attack attempt or firmware malfunction. - Signatures in security software:
Cisco Secure Endpoint users should note the alert: ‘bcmbipdll.dll Loaded by Abnormal Process’, which may indicate unauthorised activity.
