Millions of Gigabyte Motherboards Shipped With Firmware Backdoor

Researchers with cybersecurity company Eclypsium discovered a covert mechanism embedded in the firmware of Gigabyte motherboards, which are commonly used in gaming PCs and high-performance computers. When a computer with the affected motherboard restarts, this hidden code triggers an updater program within the firmware. Subsequently, the program downloads and executes additional software on the computer.

While Gigabyte intended this hidden code to serve as a benign tool for firmware updates, Eclypsium found that it was implemented insecurely. This creates a potential vulnerability that could be exploited by attackers to install malware instead of Gigabyte's intended software. The fact that the updater program is initiated from the computer's firmware, outside the operating system, makes it difficult for users to detect or remove.

John Loucaides, leader of strategy and research at Eclypsium, highlights the concern that users should have regarding this behavior, as their machines unknowingly retrieve and run code from the internet without proper security measures. He emphasizes that the idea of an underlying process taking control of a user's machine without their involvement is unsettling for most people.

271 Affected Motherboard Models

In their blog post, Eclypsium provides a list of 271 Gigabyte motherboard models that are believed to be affected. Loucaides suggests that users can check which motherboard their computer uses by accessing the "Start" menu in Windows and navigating to "System Information."

The presence of Gigabyte's updater alone might raise concerns for users who are wary of having code silently installed on their machines by the manufacturer, especially considering the hidden access point it provides in the software supply chain. However, Eclypsium's research reveals that the update mechanism itself has significant vulnerabilities. It downloads code to the user's machine without proper authentication, sometimes over unsecured HTTP connections instead of HTTPS. This allows the installation source to be spoofed through a man-in-the-middle attack, such as intercepting the user's internet connection via a rogue Wi-Fi network.

In some instances, the updater installed by Gigabyte's firmware mechanism is configured to download from a local network-attached storage device (NAS), a feature primarily designed for businesses to centrally administer updates without relying on internet connections for each machine. However, Eclypsium warns that malicious actors on the same network could manipulate the NAS's location to surreptitiously install their own malware.

Potential Impact of the Issue

Eclypsium's discovery is troubling due to the potential impact on millions of devices. Rich Smith, Chief Security Officer of supply-chain-focused cybersecurity startup Crash Override, finds the situation reminiscent of the Sony rootkit scandal from the mid-2000s. In that case, Sony hid digital-rights-management code on CDs, which covertly installed itself on users' computers and created a vulnerability that hackers exploited to conceal their malware. Smith draws a parallel, stating that while techniques used by malicious actors may have been adopted by Gigabyte, it crosses a similar line in the firmware domain.