Researchers at the cybersecurity firm Eclypsium, which focuses on firmware, reported today that they have found a secret backdoor in the firmware of motherboards manufactured by the Taiwanese manufacturer Gigabyte. Gigabyte’s components are often used in gaming PCs and other high-performance systems. Eclypsium discovered that whenever a computer with the affected Gigabyte motherboard restarts, code inside the motherboard’s firmware silently triggers the launch of an updater application, which then downloads and runs another piece of software on the machine. Researchers discovered that the hidden code was built in an unsafe manner, making it possible for the mechanism to be hijacked and used to install malware rather than Gigabyte’s intended software.
Despite the fact that Eclypsium claims the hidden code is intended to be a harmless utility to keep the motherboard’s firmware updated, researchers determined that the implementation was vulnerable. And since the updater application is activated from the computer’s firmware rather than the operating system, it is difficult for users to either delete it or even detect it on their own. In the blog post, the company details the 271 different versions of Gigabyte motherboards that the researchers think are vulnerable. According to experts, individuals who are interested in discovering the motherboard that is used by their computer may do so by selecting “Start” in Windows and then selecting “System Information.”
Users who don’t trust Gigabyte to silently install code on their machine with a nearly invisible tool may have been concerned by Gigabyte’s updater alone. Other users may have been concerned that Gigabyte’s mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. The update process was designed and built with obvious flaws that left it susceptible to being exploited in the following ways: It downloads code to the user’s workstation without properly authenticating it, and in certain cases, it even does it through an unsecured HTTP connection rather than an HTTPS one. This would make it possible for a man-in-the-middle attack to be carried out by anybody who is able to intercept the user’s internet connection, such as a malicious Wi-Fi network. The attack would enable the installation source to be faked.
Even if Gigabyte does release a fix for its firmware issue—after all, the problem stems from a Gigabyte tool that was intended to automate firmware updates—experts points out that firmware updates frequently fail silently on users’ machines, in many cases due to the complexity of the updates themselves and the difficulty of matching the firmware with the hardware.
In other instances, the updater that is installed by the mechanism in Gigabyte’s firmware is configured to be downloaded from a local network-attached storage device (NAS). This is a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. Under such circumstances, a malicious actor on the same network might potentially fake the location of the NAS in order to covertly install their own malware in its place.
The company has said that it has been collaborating with Gigabyte in order to report its results to the motherboard maker, and that Gigabyte has indicated that it intends to solve the concerns.
Meantime you can block the following URLs:
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
A list of affected models is available here.
InfoSec tools | InfoSec services | InfoSec books