Millions of PC Motherboards Were Sold With a Firmware Backdoor

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs -- a feature ripe for abuse, researchers say. From a report: Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers -- and doesn't even put a proper lock on that hidden back entrance -- they're practically doing hackers' work for them. Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.

While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover. "If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people."

Grounds for a factory recall

[davidwr]

This really should be grounds for a factory recall.

Re:Grounds for a factory recall

[Locke2005]

Can't they just... use the automatic firmware updater to update the firmware to stop doing automatic firmware update? If it's never connected to the 'net, then it doesn't really need to be updated, does it?

Re:

[drinkypoo]

Presumably they could disable it in a normal BIOS update that the user downloaded, instead of forcing it. It's pretty easy, as they use @BIOS (or at least my 990FX-G1-Gaming did, and also the board I had before it, GA-MA770T-UD3P.

My G1 Gaming died and I just got what was cheap and convenient, now I have ASRock. Fingers crossed they turn out to be better than giga-byte.

Re: Grounds for a factory recall

[NagrothAgain]

The article says it uses UEFI not BIOS.

Re:

[drinkypoo]

The article says it uses UEFI not BIOS.

What'll blow your mind is that when you boot up the machine it says UEFI BIOS. Cookie?

Re:

[vbdasc]

The article says it uses UEFI not BIOS.

That it uses UEFI is not surprising. It's exactly the UEFI that makes such shenanigans viable and easy to implement.

Re:

[SodaStream]

ASUS MagicGate was similar except it lived in a BIOS platform. A BIOS is software. A BIOS was as secure as the code that ran on it (or in the case of CIH, the lack of code that ran on it).

BIOS defined the PC compatible platform. Without it, DOS and DOS compatible OS's couldn't exist because the interrupts supplied by the BIOS didn't exist. An X86-based platform could exist with its own firmware implementation that wasn't BIOS, but then we'd have the same issue of the 6500 series computer platform: a billi

Re:

[SodaStream]

Self-replying: UEFI also supports instructing a compatible OS to install certain drivers and software. This was exactly how Lenovo got away with hiding Windows-infecting spyware on their systems. That's a legitimate criticism of the companies for supplying this, and it's also on Microsoft for enabling this de-facto back-door. The purpose was to simplify finding and installing drivers so that the Windows platform could be more "macified", with any Windows media completing the install of any computer without

Re:

[strikethree]

The purpose was to simplify finding and installing drivers

For the paranoid, that excuse does not fly.

Re:

[sabbede]

They're not. Gigabyte is the only manufacturer left that doesn't build their motherboards in mainland China, so no ties to slave labor. Asus does have such ties, and so it's rather likely that their sister companies do as well.

Re:

[arglebargle_xiv]

It's essentially a firmware rootkit, the UEFI BIOS injects code into Windows, bypassing all the security that's supposed to prevent this. So it's not an easy thing to fix.

Re:

[sabbede]

Or update to a secure build...

Re: Grounds for a factory recall

[anonymouscoward52236]

I'd bet we could have 10x or 100x as many recalls before everyone is like "screw this, we're doing coreboot".

Nonpaywall Link

[DarkRookie2]

https://www.pcworld.com/articl... [pcworld.com]
Saw the story on Reddit earlier and someone shared that link.

List of affected models

[DarkRookie2]

List of affected models: https://eclypsium.com/wp-conte... [eclypsium.com]
This was shared as well

UEFI, the gift that keeps on giving

[Anonymous Coward]

Luckily it's only "hackers" that might use this gift, and there's not too many of them around, so we're safe, right? Right?!?

Re:

[arglebargle_xiv]

It's OK, most people, I think, donâ(TM)t even know what a rootkit is, so why should they care about it?

Use coreboot

[sinij]

I think Open Source community needs to take this issue more seriously and projects like coreboot [coreboot.org] need to be supported to the point where average user can flash OS firmware to select popular MBs. Similar to what OpenWRT and similar projects are doing for routers.

Re: Use coreboot

[anonymouscoward52236]

It takes a lot of work to make a motherboard support coreboot. Maybe their development cycle will speed up with more interested users and more tools like AI assisted coding/hacking GPIO stuff/etc.

Re:

[sinij]

Could you please explain why it takes a lot of work? I know MiniFree had to narrow it down to just a few offerings because of that.

Re:

[sabbede]

In short, because each firmware image is essentially a bespoke OS for unique hardware with approximately a gazillion functions and values that all have to be done right or the sucker will blow up.

Re:

[drinkypoo]

AMD is headed in that direction, but it's gonna be a while.

Re:

[Vlad_the_Inhaler]

One of my motherboards is from Gigabyte and is on that blacklist (BAD).
I read the FA and my understanding is that this silent update requires Windows to work. In my case GOOD because that system runs exclusively under Linux.

Re:

[wildstoo]

No idea where you got that "understanding" because I actually read TFA and it said nothing about that at all. The updater runs in UEFI in a feature called "APP Center Download & Install". It doesn't touch the OS, it downloads and updates the firmware entirely from UEFI code.

tl;dr Doesn't matter what OS you're running.

Re:

[sinij]

Yes, what described in the article happens before Kernel is loaded. Linux boot process [ubuntupit.com].

Say it isn't so

[TheSlashdotHunter]

Gigabyte is one of my favorite MB manufacturers. MSI is my "least" favorite when they removed the capability to perform a bios update without a CPU from most of their MBs. I hope Gigabyte does their customers right. My PCs weren't affected, but this looks terrible for Gigabyte.

Re:

[slaker]

If you have anything AM4ish or newer on the AMD side, support for firmware updates without a CPU is a chipset feature. I won't touch an MSI board for unrelated reasons, but you should still be able to do it on at least one of the root hubs on the I/O backplate.

Bloody hell!

[gweihir]

What kind of incredible idiot comes up with such an idea and what kind of absolute asshole signs off on it? Nobody can credibly claim today they were not aware of the extreme danger they expose their customers with that.

Re:Bloody hell!

[Luckyo]

Pretty much everyone, from incompetent diversity hire to an overzealous nerd who's told that users don't update their firmware enough.

Windows 10 taught a lot of people that their computer will just update random shit out of the blue with no user control over the entire process. This is simply an extestion of so many people having been forced to learn this.

(In before some brainlet screeching that you can defer updates).

Re:

[gtall]

"incompetent diversity hire"? In Taiwan? Take your woke mind-virus and sit on it.

Re:

[Luckyo]

Wait, you think coding work isn't outsourced to cheapest source that is still sufficiently ESG and SEL compliant to ensure that capital remains cheap?

Re:

[Luckyo]

So it's pretty normal nowadays that people don't read past the first paragraph. It's getting unfortunately somewhat common that people don't read past the first sentence.

You didn't even finish the first sentence before angrily typing out multiple sentences of angry bitching, all of which was in fact pre-emptively debunked in the... single sentence response you didn't finish reading.

Are you projecting the AI part?

Re:

[Xenx]

The same people that do it at ASUS, Dell, and others. The problem specific to Gigabyte here is the poor implementation leaving it more readily open for attack. I'm not defending them, just making sure people understand that it's by no means unique to Gigabyte.

Re:

[gweihir]

Ah yes. I did see that "download something" option on my last non-gigabyte mainboard as well. Looked fishy to me, so I disabled it along with the UEFI network stack. I hope I will not have to start to firewall PCs until the OS runs. Can be done but would be a pain.

But seriously, with friend like these who needs enemies?

Re:Bloody hell!

[codebase7]

The firmware drops an executable into System32 and runs it as a Windows Service. [eclypsium.com] Blocking only at boot will do you no good.

Re:

[gweihir]

So Microsoft is supporting this crap? The mind boggles.

Re:Bloody hell!

[codebase7]

If anything I think it's part of their boot driver support. Windows will look through the firmware tables for sections with a specific labels and one of those labels instructs Windows to install a PE image from the firmware as a boot driver. [microsoft.com] The main purpose is to get drivers for critical hardware components without needing an internet connection to install them manually. [eclypsium.com]

Unfortunately some manufacturers use this mechanism to install random garbage that subverts the OS. (Windows also has it's own mechanism to update the firmware via UEFI capsules. The crap from TFS is apparently Gigabyte's version baked into the firmware and installed via the boot driver support.)

For fun, Here's a github project that installs crap into that firmware table. [github.com]

Re:

[gweihir]

Incredible. Windows really has to be treated as somewhat benign malware these days.

Thanks for the link, very interesting.

Oh Jesus! The horror!

[zmollusc]

This would mean that someone other than microsoft, my ISP, the application developers, facebook, google, five eyes, china and russia could snoop my data!

Re:Oh Jesus! The horror!

[sinij]

This means that some random asshole could turn your gaming rig into a DDoS bot and/or use it to mine crypto.

Re:Oh Jesus! The horror!

[pr0t0]

Or that random asshole could use your computer to host his kiddie porn, and the FBI would like a word with you.

Feel like fixing it now?

Re:

[Fallen Kell]

Good luck proving that the fact that it could be done is why it had anything there. This kind of defense always turns into a you need to prove it happened as opposed to that it could have happened as in the eyes of anyone but a computer system admin and security researcher, the most likely scenario is the most plausable and the most likely scenario is that your computer was not used by someone to store something you had no knowledge of, and that in fact you are the one who did it.

So unless you have a log o

Re:

[ArsenneLupin]

This kind of defense always turns into a you need to prove it happened as opposed to that it could have happened

Add to this that by the time you are asked for such proof, you are in a rather bad situation to prove anything at all about your computer. Indeed, you no longer have it. They typically take it away from you early on, after all.

So unless you have a log of all the network connections to your computer along with the payloads

That also presumes that the judge has a sufficient understanding about computers to not (willfully or not) misinterpret those logs.

Re: Oh Jesus! The horror!

[anonymouscoward52236]

Weird. You forgot Intel and AMD themselves. Or is that being too paranoid? Ahahaha. We really should audit all the things.

Re: Oh my, ...

[anonymouscoward52236]

I don't get what makes you think Apple can't have malicious employees hired/blackmailed into adding bugs/backdoors/whatever.

Where is Gigabyte based?

[myowntrueself]

They are Taiwanese company. Not Chinese. Therefore its more likely that the NSA got them to build this backdoor into their products! Unless... it was the Taiwanese themselves!!!111

Can we add something from this to Mitre ATT&CK? Its pretty sparse on American threat actors, or Taiwanese for that matter.

Re:

[Fly Swatter]

First - tomAto, tomOto.

Second, don't attribute to malice what can be attributed to incompetence.

Remember when I predicted this?

[Narcocide]

yawn... it's starting to get cliche.

Re:

[strikethree]

It is hard NOT to predict it. What are the "management engines" doing inside of CPUs? Waiting for a signal from the cell network? Ready to do what the key holder (not you!) wants? Over wireless comms?

The current situation is because real security doesn't matter to the manufacturers, not because the authorities needed a back door.

But Microsoft

[RitchCraft]

"The concept of going underneath the end user and taking over their machine doesn't sit well with most people." - Microsoft has been doing this for over a decade now and people still use Windows. What are sheeple to do?

A feature

[wakeboarder]

ripe for a state actor

asus's "armory crate"

[gTsiros]

does something similar

it can be disabled in uefi though

are these two equivalent?

I have to wonder

[WindBourne]

if this was for gigabytes interest, or others?

Looks like it requires Windoze

[evanh]

and only does the HTTP part during the Windoze bring up. So not ever going to affect non-Windoze OSes, thankfully.

Also, they say it is disabled by default - "The âoeWpbtDxe.efiâ module checks if the âoeAPP Center Download & Installâ feature has been enabled in the BIOS/UEFI Setup before installing the executable into the WPBT ACPI table. Although this setting appears to be disabled by default, it was enabled on the system we examined."

Blacklist

[Fallen Kell]

Looks like I have new entries to add to my router blacklists. According to the article, block the following:
http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
https://software-nas/Swhttp/LiveUpdate4

I would also block them by both the DNS name as (like in a pihole) and via IP address (such as in an IP tables outgoing destination and incoming source drop). This only works if you are not connecting directly to the internet with that hardware and are going through some kind of router and/or DNS that you have control over.

Yeah but it's Gigabyte

[thegarbz]

Given their complete incompetence when it comes to actual firmware updates that are supposed to happen on purpose I I'm of a firm belief that not even the world greatest hacker could exploit this, or indeed get they firmware updated if they are sitting at the pc in question logged in as root.

Or maybe the NSA coded this. In which case thankfully we finally have a way of updating the firmware which may work.

Aargh

[eriks]

I just bought one of these boards. Figures. I agonized about what board to buy for months. I wanted an Asus board, but couldn't find one with what I wanted that was obtainable in my price range. (I refuse to pay $400 for a board when a $100 board will do just fine, I'm not a gamer.) It's in the process of becoming my primary system. I guess if it tries to inject crap into the system32 folder, it won't find it, since the only windows OS on it is in a VM. I'd imagine there's a way to turn it off, and if

Congress could fix this...

[RecycledElectrons]

Congress could change the jurisdiction of the (US) Federal Courts so that anyone who is victimized by a back door can sue the people who put it in for $1 per byte of data that can not be proven to not be affected. That would be Trillion$ per PC hacked.

Congress could make it a "corporate felony" to distribute anything you put a back door into. When I say "corporate felony" I mean a new class of felony where every officer of that corporation and every owner of that corporation (including stock holders) all s

UEFI is not secure

[akw0088]

Just waiting for someone to attempt to justify that UEFI is better than bios because reasons that arenâ(TM)t security

I noticed this after a clean Win11 install.

[dicobalt]

I recently installed Windows 11 clean and when I got to the desktop for the first time I noticed that it had somehow already installed Gigabyte's "APP Center" down in the system tray area. That then told me I needed system drivers but it also tried to install Norton Internet Security as well. Coincidence?

Windows Feature

[dragonturtle69]

Windows does that, downloads and installs whatever executable for your hardware, which might be nice for some people.

For the TLDR

[Kelxin]

It's gigabyte models 300 series and newer. Because that was so hard to say in the article.

Gigabyte, welcome to ...

[Saffaya]

My Banned-For-Life list.

Re:

[sabbede]

Mine's full up already with companies tied to Chinese slave labor. Gigabyte is all that's left. Given "did something dumb" vs. "slavery", I'll go with the people who made a mistake over those who chose to do something evil.

Seem to be two or three things one should do

[Budenny]

Reading the comments and the piece, conclusions:

Seems that if you are not running windows (or only in a VM) you will be immune, is this right?

Then you should anyway immediately block the URLs, in your router, and find out what the IP address associated with them is, and block them too.

And check in the UEFI settings whether this feature is blocked - it is reported to be off by default, though the one they looked at had it on.

Will this fix it? Are you still exposed if only running Linux in bare metal mode?

I have a machine with an affected board just ready to be commissioned. Absolutely infuriating that they would do this.

Seems the urls are now offline?

[Budenny]

Seems like the urls have been taken offline? I am getting 404.

Re:

[evanh]

The action is all (including all network accesses) in Windoze. The only thing the UEFI does is place a Windoze driver into a reserved EFI space for Windoze to later execute.

And it's disabled by default anyway.