Earlier this year Kaspersky Labs revealed Operation ShadowHammer, which used a modified version of the Asus Live Update Utility to compromise up to 1 million devices in what the security firm called "one of the biggest supply-chain incidents ever." Asus disputed the attack's scope, but it also confirmed that the attack did happen, and today it announced the adoption of a new digital certificate structure for its many software offerings.
Operation ShadowHammer's malicious utility was hard to detect because it was the same size as the official version, hosted on Asus servers, and signed with a legitimate certificate. Now the company has said that it's implementing "a tiered certificate structure that upgrades the security infrastructure of our expanding software ecosystem" which "requires the current code-signing certificate of several Asus products to be revoked."
This won't be a seamless transition. Asus said that switching to the new certificate structure would cause Windows to warn people when they use certain utilities, or prevent that software from working normally when someone tries to launch the "Setup.exe" or "AsusSetup.exe" files. People will have to download new versions of the software affected by this change if they want everything to function the way they've grown accustomed to.
But the company didn't offer a complete list of utilities affected by this change--all it said was that Aura, AI Suite III and GPU Tweak II are on that list. All of the software updates are available from a page on the Asus website, but the complete list of affected offerings is hidden behind menus upon menus, so it's hard to tell exactly how many programs are affected by this change.
Asus said there are four scenarios where this change will affect its customers. The first is when people use its programs, which leads to the problems explained above. The second prevents the installation of third-party drivers from an Asus support CD unless someone runs "Setup.exe" instead of "AsusSetup.exe." The third can prevent the CD from loading in the first place. And the fourth occurs when Windows is booted up.
That last issue only affects people whose motherboards are running Armoury Crate or Q-installer. Asus said Windows will show a warning about running Armoury Crate at boot; the only ways to continue are to stop using Armoury Crate or update the BIOS. Here's how to do the latter:
"To do this, first restart your PC, and then press the Delete (Del) or F2 key when prompted during the startup process. Now navigate to the ‘Tools’ tab and then select the ‘ASUS Armoury Crate’ category. Then choose the ‘Disable the Download & Install ARMOURY CRATE app’ option. To save these changes and restart the system, press the F10 key, then press Y when prompted. Alternatively, navigate to the ‘Save and Exit’ option within the BIOS menu, press the Enter key, then press Y to save changes and restart."
Hopefully the new certificate structure justifies these (mostly minimal) hassles by preventing attacks like Operation ShadowHammer in the future. It won't completely solve Asus' problems--the company's employees reportedly exposed their account credentials on GitHub--but at least it's a start.