Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected
cyber security company Eclypsium I found a backdoor in Gigabyte’s firmware. 271 types of motherboards at risk. These include models with Intel and AMD chipsets from the last few years, to his Z790 and X670 SKUs today. The vulnerability exists in a small updater program he employs by Gigabyte to ensure that the motherboard’s firmware is always up to date. Apparently it does this through an insecure implementation.
Have you ever noticed a program popping up asking you to download the latest drivers or firmware after a clean install of Windows? Unfortunately, that little piece of code can provide a backdoor for criminals. .
Each time the system is rebooted, code within the firmware launches an updater program that connects to the Internet to check for and download the latest firmware for the motherboard. Eclypsium has assessed Gigabyte’s implementation as unsafe and cybercriminals may use this exploit to install malware on victims’ systems. The big problem is that the updater program resides in the motherboard’s firmware, so it cannot be easily removed by the consumer.
Gigabyte isn’t the only vendor using this kind of program to facilitate firmware updates. Other motherboard manufacturers have adopted similar techniques, raising questions about whether any of them are safe. For example, Asus’ Armory Crate software works similarly to Gigabyte’s App Center. Eclypsium’s findings show that Gigabyte’s updater program pings him to three different sites for firmware updates.
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
Eclypsium has assessed that updaters download code to users’ systems without proper authentication. It does not use cryptographic digital signature verification or other verification methods. As a result, HTTP and HTTPS connections are vulnerable to man-in-the-middle (MITM) attacks, with the former being more vulnerable than the latter. Eclypsium also found that in addition to connecting to the Internet, the updater could download firmware updates from her NAS device within her local network. A malicious attacker could similarly impersonate her NAS and infect the victim with spyware.
Updater is a standard tool for Gigabyte motherboards. Eclypsium has compiled extensive information. List of affected models. The list contains up to 271 motherboards, including both Intel and AMD motherboards. Some models date back to AMD 400 series chipsets. However, even the latest Intel 700 series and AMD 600 series motherboards are not safe.
Eclypsium has already shared its findings with Gigabyte, and motherboard vendors are working on solutions to address this vulnerability. Ironically, this solution may come with updated firmware. On the other hand, Gigabyte motherboard owners can take some steps to protect their systems.
Eclypsium advises users to disable the “APP Center Download and Install” feature within the motherboard’s firmware. This option will start the updater. As a good measure, the user can implement her BIOS-level password to prevent unwanted and malicious activity. Last but not least, the user can block his 3 sites that the updater connects to.