• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Gigabyte Motherboards Affected by Firmware Backdoor, Over 250 Models Impacted

winjer

Member

This security vulnerability encompasses a wide range of models containing both Intel and AMD chipsets, inclusive of the newest Z790 and X670 units. The issue stems from a poorly secured updater program utilized by Gigabyte to maintain firmware currency.

Eclypsium, a cybersecurity research company, recently identified a firmware backdoor impacting 271 Gigabyte motherboard models. During a fresh Windows installation, users might encounter a program suggesting a download of the latest driver or firmware. Regrettably, this seemingly harmless program can potentially serve as a conduit for malevolent entities.
Upon each system restart, firmware-embedded code activates an updater program, connecting to the internet to search and download the newest motherboard firmware. According to Eclypsium, Gigabyte's approach to this updater program lacks the requisite security, offering a potential entry point for malicious software installations on susceptible systems. The complexity arises from the fact that this updater is ingrained in the motherboard's firmware, hence posing a challenge for consumer elimination.

The usage of such updater programs is not exclusive to Gigabyte, as other motherboard manufacturers incorporate similar methodologies, bringing into question the overall security of these systems. Asus' Armoury Crate software, for instance, operates similarly to Gigabyte's App Center. Eclypsium's analysis shows that Gigabyte's updater connects with three distinct sites for firmware updates:

The cybersecurity firm established that Gigabyte's updater downloads code to the user's system devoid of proper authentication, lacking cryptographic digital signature confirmation or alternative validation procedures. As a result, both HTTP and HTTPS connections remain vulnerable to Machine-in-the-Middle (MITM) attacks, with HTTP connections being especially susceptible. Additionally, beyond its online connections, the updater was found to download firmware updates from a local network's NAS device, creating potential for a harmful actor to impersonate the NAS and infect the user's system with spyware.


The updater comes as a standard tool in Gigabyte motherboards. Eclypsium has provided an extensive list of the impacted models, which consists of 271 motherboards from both Intel and AMD chipsets. These models span from older AMD 400-series chipsets to the most recent Intel 700-series and AMD 600-series motherboards, which are also affected by this issue.

Eclypsium has communicated its findings to Gigabyte, and the company is actively seeking a resolution to this issue, likely to be implemented via a firmware update. While this is being addressed, Gigabyte motherboard owners can take precautionary steps to safeguard their systems.

It is advisable, as per Eclypsium, to disable the "APP Center Download & Install" feature within the motherboard's firmware to deactivate the updater. Additionally, users can implement a BIOS-level password as a protective measure against unauthorized and harmful activities. Lastly, users can block the three aforementioned sites that the updater connects with

List of affected products here:
https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf


Fozzie Bear Reaction GIF
 

kittoo

Cretinously credulous
Do I need to worry if I always update my bios firmware through their website (download to USB th3n update)?
 

kruis

Exposing the sinister cartel of retailers who allow companies to pay for advertising space.
I don't think this is a big deal in the real world. The vast, vast majority of people buying Gigabyte motherboards are not businesses but regular consumers. What's the likelihood of becoming victim to a man in the middle attack on your private network? The article give a warning about a loophole that could make the Gigabyte software installed on your PC look for a (compromised) update on your NAS instead of an official Gigabyte server. But in that case I think an attacker installing software on your local NAS is a bigger problem than a loophole in Gigayte's firmware update code.

Just don't download Gigabyte firmware files from unknown sites for a while until the loophole is closed.
 

kruis

Exposing the sinister cartel of retailers who allow companies to pay for advertising space.
If you have one of the motherboards on the list, go to your BIOS and turn off "APP Center Download & Install Configuration"

There's no real reason to do that either. What's the likelihood of a hacker getting access to your private network, changing the routing on your internet router so so the bios on your PC downloads a hacked firmware from an unknown server instead of the real firmware from Gigabyte's server? IMO it's a rather hypothetical scenario.
 
Top Bottom