Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Millions of PC Motherboards Were Sold With a Firmware Backdoor (wired.com) 77

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs -- a feature ripe for abuse, researchers say. From a report: Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers -- and doesn't even put a proper lock on that hidden back entrance -- they're practically doing hackers' work for them. Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.

While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover. "If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people."

This discussion has been archived. No new comments can be posted.

Millions of PC Motherboards Were Sold With a Firmware Backdoor

Comments Filter:
  • by davidwr ( 791652 ) on Wednesday May 31, 2023 @01:49PM (#63565107) Homepage Journal

    This really should be grounds for a factory recall.

    • by Locke2005 ( 849178 ) on Wednesday May 31, 2023 @01:53PM (#63565121)
      Can't they just... use the automatic firmware updater to update the firmware to stop doing automatic firmware update? If it's never connected to the 'net, then it doesn't really need to be updated, does it?
      • Presumably they could disable it in a normal BIOS update that the user downloaded, instead of forcing it. It's pretty easy, as they use @BIOS (or at least my 990FX-G1-Gaming did, and also the board I had before it, GA-MA770T-UD3P.

        My G1 Gaming died and I just got what was cheap and convenient, now I have ASRock. Fingers crossed they turn out to be better than giga-byte.

        • The article says it uses UEFI not BIOS.
          • Re: (Score:3, Informative)

            by drinkypoo ( 153816 )

            The article says it uses UEFI not BIOS.

            What'll blow your mind is that when you boot up the machine it says UEFI BIOS. Cookie?

          • by vbdasc ( 146051 )

            The article says it uses UEFI not BIOS.

            That it uses UEFI is not surprising. It's exactly the UEFI that makes such shenanigans viable and easy to implement.

            • ASUS MagicGate was similar except it lived in a BIOS platform. A BIOS is software. A BIOS was as secure as the code that ran on it (or in the case of CIH, the lack of code that ran on it).

              BIOS defined the PC compatible platform. Without it, DOS and DOS compatible OS's couldn't exist because the interrupts supplied by the BIOS didn't exist. An X86-based platform could exist with its own firmware implementation that wasn't BIOS, but then we'd have the same issue of the 6500 series computer platform: a billi
              • Self-replying: UEFI also supports instructing a compatible OS to install certain drivers and software. This was exactly how Lenovo got away with hiding Windows-infecting spyware on their systems. That's a legitimate criticism of the companies for supplying this, and it's also on Microsoft for enabling this de-facto back-door. The purpose was to simplify finding and installing drivers so that the Windows platform could be more "macified", with any Windows media completing the install of any computer without
        • They're not. Gigabyte is the only manufacturer left that doesn't build their motherboards in mainland China, so no ties to slave labor. Asus does have such ties, and so it's rather likely that their sister companies do as well.
      • It's essentially a firmware rootkit, the UEFI BIOS injects code into Windows, bypassing all the security that's supposed to prevent this. So it's not an easy thing to fix.
      • Or update to a secure build...
    • I'd bet we could have 10x or 100x as many recalls before everyone is like "screw this, we're doing coreboot".

  • Nonpaywall Link (Score:5, Informative)

    by DarkRookie2 ( 5551422 ) on Wednesday May 31, 2023 @01:50PM (#63565111)
    https://www.pcworld.com/articl... [pcworld.com]
    Saw the story on Reddit earlier and someone shared that link.
  • by Anonymous Coward

    Luckily it's only "hackers" that might use this gift, and there's not too many of them around, so we're safe, right? Right?!?

  • Use coreboot (Score:5, Informative)

    by sinij ( 911942 ) on Wednesday May 31, 2023 @01:58PM (#63565135)
    I think Open Source community needs to take this issue more seriously and projects like coreboot [coreboot.org] need to be supported to the point where average user can flash OS firmware to select popular MBs. Similar to what OpenWRT and similar projects are doing for routers.
    • It takes a lot of work to make a motherboard support coreboot. Maybe their development cycle will speed up with more interested users and more tools like AI assisted coding/hacking GPIO stuff/etc.

      • by sinij ( 911942 )
        Could you please explain why it takes a lot of work? I know MiniFree had to narrow it down to just a few offerings because of that.
        • In short, because each firmware image is essentially a bespoke OS for unique hardware with approximately a gazillion functions and values that all have to be done right or the sucker will blow up.
    • AMD is headed in that direction, but it's gonna be a while.

    • One of my motherboards is from Gigabyte and is on that blacklist (BAD).
      I read the FA and my understanding is that this silent update requires Windows to work. In my case GOOD because that system runs exclusively under Linux.

      • No idea where you got that "understanding" because I actually read TFA and it said nothing about that at all. The updater runs in UEFI in a feature called "APP Center Download & Install". It doesn't touch the OS, it downloads and updates the firmware entirely from UEFI code.

        tl;dr Doesn't matter what OS you're running.

  • Gigabyte is one of my favorite MB manufacturers. MSI is my "least" favorite when they removed the capability to perform a bios update without a CPU from most of their MBs. I hope Gigabyte does their customers right. My PCs weren't affected, but this looks terrible for Gigabyte.
    • by slaker ( 53818 )

      If you have anything AM4ish or newer on the AMD side, support for firmware updates without a CPU is a chipset feature. I won't touch an MSI board for unrelated reasons, but you should still be able to do it on at least one of the root hubs on the I/O backplate.

  • by gweihir ( 88907 ) on Wednesday May 31, 2023 @02:07PM (#63565157)

    What kind of incredible idiot comes up with such an idea and what kind of absolute asshole signs off on it? Nobody can credibly claim today they were not aware of the extreme danger they expose their customers with that.

  • by zmollusc ( 763634 ) on Wednesday May 31, 2023 @02:15PM (#63565185)

    This would mean that someone other than microsoft, my ISP, the application developers, facebook, google, five eyes, china and russia could snoop my data!

    • by sinij ( 911942 ) on Wednesday May 31, 2023 @02:20PM (#63565211)
      This means that some random asshole could turn your gaming rig into a DDoS bot and/or use it to mine crypto.
      • by pr0t0 ( 216378 ) on Wednesday May 31, 2023 @02:26PM (#63565235)

        Or that random asshole could use your computer to host his kiddie porn, and the FBI would like a word with you.

        Feel like fixing it now?

    • Weird. You forgot Intel and AMD themselves. Or is that being too paranoid? Ahahaha. We really should audit all the things.

  • They are Taiwanese company. Not Chinese. Therefore its more likely that the NSA got them to build this backdoor into their products! Unless... it was the Taiwanese themselves!!!111

    Can we add something from this to Mitre ATT&CK? Its pretty sparse on American threat actors, or Taiwanese for that matter.

  • yawn... it's starting to get cliche.

    • It is hard NOT to predict it. What are the "management engines" doing inside of CPUs? Waiting for a signal from the cell network? Ready to do what the key holder (not you!) wants? Over wireless comms?

      The current situation is because real security doesn't matter to the manufacturers, not because the authorities needed a back door.

  • "The concept of going underneath the end user and taking over their machine doesn't sit well with most people." - Microsoft has been doing this for over a decade now and people still use Windows. What are sheeple to do?

  • ripe for a state actor
  • does something similar

    it can be disabled in uefi though

    are these two equivalent?

  • if this was for gigabytes interest, or others?
  • and only does the HTTP part during the Windoze bring up. So not ever going to affect non-Windoze OSes, thankfully.

    Also, they say it is disabled by default - "The âoeWpbtDxe.efiâ module checks if the âoeAPP Center Download & Installâ feature has been enabled in the BIOS/UEFI Setup before installing the executable into the WPBT ACPI table. Although this setting appears to be disabled by default, it was enabled on the system we examined."

  • by Fallen Kell ( 165468 ) on Wednesday May 31, 2023 @04:34PM (#63565683)
    Looks like I have new entries to add to my router blacklists. According to the article, block the following:
    http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
    https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
    https://software-nas/Swhttp/LiveUpdate4

    I would also block them by both the DNS name as (like in a pihole) and via IP address (such as in an IP tables outgoing destination and incoming source drop). This only works if you are not connecting directly to the internet with that hardware and are going through some kind of router and/or DNS that you have control over.
  • Given their complete incompetence when it comes to actual firmware updates that are supposed to happen on purpose I I'm of a firm belief that not even the world greatest hacker could exploit this, or indeed get they firmware updated if they are sitting at the pc in question logged in as root.

    Or maybe the NSA coded this. In which case thankfully we finally have a way of updating the firmware which may work.

  • by eriks ( 31863 )

    I just bought one of these boards. Figures. I agonized about what board to buy for months. I wanted an Asus board, but couldn't find one with what I wanted that was obtainable in my price range. (I refuse to pay $400 for a board when a $100 board will do just fine, I'm not a gamer.) It's in the process of becoming my primary system. I guess if it tries to inject crap into the system32 folder, it won't find it, since the only windows OS on it is in a VM. I'd imagine there's a way to turn it off, and if

  • Congress could change the jurisdiction of the (US) Federal Courts so that anyone who is victimized by a back door can sue the people who put it in for $1 per byte of data that can not be proven to not be affected. That would be Trillion$ per PC hacked.

    Congress could make it a "corporate felony" to distribute anything you put a back door into. When I say "corporate felony" I mean a new class of felony where every officer of that corporation and every owner of that corporation (including stock holders) all s

  • Just waiting for someone to attempt to justify that UEFI is better than bios because reasons that arenâ(TM)t security
  • I recently installed Windows 11 clean and when I got to the desktop for the first time I noticed that it had somehow already installed Gigabyte's "APP Center" down in the system tray area. That then told me I needed system drivers but it also tried to install Norton Internet Security as well. Coincidence?
  • It's gigabyte models 300 series and newer. Because that was so hard to say in the article.
  • My Banned-For-Life list.

    • Mine's full up already with companies tied to Chinese slave labor. Gigabyte is all that's left. Given "did something dumb" vs. "slavery", I'll go with the people who made a mistake over those who chose to do something evil.
  • by Budenny ( 888916 ) on Thursday June 01, 2023 @03:04AM (#63566559)

    Reading the comments and the piece, conclusions:

    Seems that if you are not running windows (or only in a VM) you will be immune, is this right?

    Then you should anyway immediately block the URLs, in your router, and find out what the IP address associated with them is, and block them too.

    And check in the UEFI settings whether this feature is blocked - it is reported to be off by default, though the one they looked at had it on.

    Will this fix it? Are you still exposed if only running Linux in bare metal mode?

    I have a machine with an affected board just ready to be commissioned. Absolutely infuriating that they would do this.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...