Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor
Gigabyte’s updater alone might have raised concerns for users who don’t trust Gigabyte to silently install code on their machine with a nearly invisible tool—or who worry that Gigabyte’s mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. But Eclypsium also found that the update mechanism was implemented with glaring vulnerabilities that could allow it to be hijacked: It downloads code to the user’s machine without properly authenticating it, sometimes even over an unprotected HTTP connection, rather than HTTPS. This would allow the installation source to be spoofed by a man-in-the-middle attack carried out by anyone who can intercept the user’s internet connection, such as a rogue Wi-Fi network.
In other cases, the updater installed by the mechanism in Gigabyte’s firmware is configured to be downloaded from a local network-attached storage device (NAS), a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. But Eclypsium warns that in those cases, a malicious actor on the same network could spoof the location of the NAS to invisibly install their own malware instead.
Gigabyte did not respond to WIRED’s multiple requests for comment regarding Eclypsium’s findings. But a day after Eclypsium revealed the firmware issue, Gigabyte announced updates to its firmware with "enhanced verification" of the code its updater program downloads to machines that use its motherboards. According to Gigabyte, that code is now cryptographically signed and verified, "thwarting any attempts by attackers to insert malicious code," and the server they're downloaded from is also authenticated with a cryptographic certificate. Release notes accompanying the update state that it "addresses download assistant vulnerabilities" uncovered by Eclypsium.
Even now that Gigabyte has pushed out a fix for its firmware issue—after all, the problem stems from a Gigabyte tool intended to automate firmware updates—Eclypsium’s Loucaides points out that firmware updates often silently abort on users’ machines, in many cases due to their complexity and the difficulty of matching firmware and hardware. “I still think this will end up being a fairly pervasive problem on Gigabyte boards for years to come,” Loucaides says.
Given the millions of potentially affected devices, Eclypsium’s discovery is “troubling,” says Rich Smith, who is the chief security officer of supply-chain-focused cybersecurity startup Crash Override. Smith has published research on firmware vulnerabilities and reviewed Eclypsium’s findings. He compares the situation to the Sony rootkit scandal of the mid-2000s. Sony had hidden digital-rights-management code on CDs that invisibly installed itself on users’ computers and in doing so created a vulnerability that hackers used to hide their malware. “You can use techniques that have traditionally been used by malicious actors, but that wasn’t acceptable, it crossed the line,” Smith says. “I can’t speak to why Gigabyte chose this method to deliver their software. But for me, this feels like it crosses a similar line in the firmware space.”
Smith acknowledges that Gigabyte probably had no malicious or deceptive intent in its hidden firmware tool. But by leaving security vulnerabilities in the invisible code that lies beneath the operating system of so many computers, it nonetheless erodes a fundamental layer of trust users have in their machines. “There’s no intent here, just sloppiness. But I don’t want anyone writing my firmware who’s sloppy,” says Smith. “If you don’t have trust in your firmware, you’re building your house on sand.”
Update 9:30 am, Tuesday, June 6, 2023: Following publication, Gigabyte announced the release of updates to its firmware. The company says the additional secure measures will better protect users of its affected motherboards from “attempts by attackers to insert malicious code.”
Gloss