Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected

Update 06/01/2022 7:00 pm PT: Gigabyte has deployed new firmware that mitigates the firmware backdoors. The firmware updates, which are available at Gigabyte's official website, are online for consumers to download and update their motherboard.

Original Article

Cybersecurity firm Eclypsium has discovered a backdoor in Gigabyte's firmware that puts 271 different motherboards at risk. These include models with Intel and AMD chipsets from the last several years, all the way up to today's Z790 and X670 SKUs. The vulnerability resides in a small updater program that Gigabyte employs to ensure that the motherboard's firmware is always current. Apparently, it's doing so via an unsecured implementation.

Have you ever noticed that after a clean Windows installation, a program pops up offering to download the latest driver or firmware for you? Unfortunately, that little piece of code could provide a backdoor for criminals.

Upon every system restart, a piece of code inside the firmware launches an updater program that connects to the Internet to check and download the latest firmware for the motherboard. Eclypsium assessed that Gigabyte's implementation is unsafe and cybercriminals can use the exploit to install malware on the victim's system. The big problem is that the updater program resides inside the motherboard's firmware, so consumers can't easily remove it.

Gigabyte isn't the only vendor to use this type of program to facilitate firmware updates. Other motherboard manufacturers utilize a similar method, raising the question of whether any of them is safe. For example, Asus' Armoury Crate software functions similarly to Gigabyte's App Center. According to Eclypsium's findings, the Gigabyte's updater program pings three different sites for firmware updates:

• http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://software-nas/Swhttp/LiveUpdate4

Eclypsium assessed that the updater downloads code to the user's system without proper authentication. It doesn't use any cryptographic digital signature verification or other validation methods. As a result, HTTP and HTTPS connections are vulnerable to Machine-in-the-middle (MITM) attacks, with the former being more susceptible than the latter. Besides connecting to the Internet, Eclypsium also uncovered that the updater could download firmware updates from a NAS device within the local network. A malicious actor can similarly spoof the NAS and infect the victim with spyware.

The updater is a standard tool among Gigabyte motherboards. Eclypsium has put together an extensive list of the affected models. There are up to 271 motherboards on the list, consisting of both Intel and AMD motherboards. Some models date back to AMD 400-series chipsets. Not even the latest Intel 700-series or AMD 600-series motherboards are safe, though.

Eclypsium has already shared its discoveries with Gigabyte, and the motherboard vendor is working on a solution to address the vulnerability. Ironically, the solution will likely arrive in updated firmware. Meanwhile, Gigabyte motherboard owners can take some measures to safeguard their systems.

Eclypsium recommends users disable the "APP Center Download & Install" feature inside the motherboard's firmware. The option is what initiates the updater. For good measure, users can implement a BIOS-level password to prevent unwanted, malicious activity. Last but not least, users can block the three sites that the updater contacts.