Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected

Z790 Gaming X AX
Z790 Gaming X AX (Image credit: Gigabyte)

Update 06/01/2022 7:00 pm PT: Gigabyte has deployed new firmware that mitigates the firmware backdoors. The firmware updates, which are available at Gigabyte's official website, are online for consumers to download and update their motherboard.

Original Article

Cybersecurity firm Eclypsium has discovered a backdoor in Gigabyte's firmware that puts 271 different motherboards at risk. These include models with Intel and AMD chipsets from the last several years, all the way up to today's Z790 and X670 SKUs. The vulnerability resides in a small updater program that Gigabyte employs to ensure that the motherboard's firmware is always current. Apparently, it's doing so via an unsecured implementation.

Have you ever noticed that after a clean Windows installation, a program pops up offering to download the latest driver or firmware for you? Unfortunately, that little piece of code could provide a backdoor for criminals.

Upon every system restart, a piece of code inside the firmware launches an updater program that connects to the Internet to check and download the latest firmware for the motherboard. Eclypsium assessed that Gigabyte's implementation is unsafe and cybercriminals can use the exploit to install malware on the victim's system. The big problem is that the updater program resides inside the motherboard's firmware, so consumers can't easily remove it.

Gigabyte isn't the only vendor to use this type of program to facilitate firmware updates. Other motherboard manufacturers utilize a similar method, raising the question of whether any of them is safe. For example, Asus' Armoury Crate software functions similarly to Gigabyte's App Center. According to Eclypsium's findings, the Gigabyte's updater program pings three different sites for firmware updates:

  • http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
  • https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
  • https://software-nas/Swhttp/LiveUpdate4

Eclypsium assessed that the updater downloads code to the user's system without proper authentication. It doesn't use any cryptographic digital signature verification or other validation methods. As a result, HTTP and HTTPS connections are vulnerable to Machine-in-the-middle (MITM) attacks, with the former being more susceptible than the latter. Besides connecting to the Internet, Eclypsium also uncovered that the updater could download firmware updates from a NAS device within the local network. A malicious actor can similarly spoof the NAS and infect the victim with spyware.

The updater is a standard tool among Gigabyte motherboards. Eclypsium has put together an extensive list of the affected models. There are up to 271 motherboards on the list, consisting of both Intel and AMD motherboards. Some models date back to AMD 400-series chipsets. Not even the latest Intel 700-series or AMD 600-series motherboards are safe, though.

Eclypsium has already shared its discoveries with Gigabyte, and the motherboard vendor is working on a solution to address the vulnerability. Ironically, the solution will likely arrive in updated firmware. Meanwhile, Gigabyte motherboard owners can take some measures to safeguard their systems.

Eclypsium recommends users disable the "APP Center Download & Install" feature inside the motherboard's firmware. The option is what initiates the updater. For good measure, users can implement a BIOS-level password to prevent unwanted, malicious activity. Last but not least, users can block the three sites that the updater contacts.

Zhiye Liu
RAM Reviewer and News Editor

Zhiye Liu is a Freelance News Writer at Tom’s Hardware US. Although he loves everything that’s hardware, he has a soft spot for CPUs, GPUs, and RAM.

  • drea.drechsler
    Great info in this article. I disabled the BIOS setting as soon as I could in my new Gigabyte board but with information the author provided I've also locked out those three update sites in my HOSTS file. That's so there's no chance of anything happening if I forget after a BIOS update or CMOS reset.

    But this practice is irresponsible IMO. The Asus board this Gigabyte one replaces did the same thing; there should be a proactive way to stop it completely.
    Reply
  • Alvar "Miles" Udell
    Had that disabled since day one. The question is will Gigabyte actually do anything about it on Socket AM4 systems since they're discontinued, or will AMD secretly tell them not to to "encourage" people to upgrade...
    Reply
  • drtweak
    Yea I always disable that and any kind of "Auto Install" that any MB does these days.
    Reply
  • TechieTwo
    Is this incompetence or laziness?
    Reply
  • King_V
    Alvar Miles Udell said:
    ... will Gigabyte actually do anything about it on Socket AM4 systems since they're discontinued, or will AMD secretly tell them not to to "encourage" people to upgrade...
    Oh, yeah. That's real plausible.

    /s
    Reply
  • wujj123456
    drea.drechsler said:
    Great info in this article. I disabled the BIOS setting as soon as I could in my new Gigabyte board but with information the author provided I've also locked out those three update sites in my HOSTS file. That's so there's no chance of anything happening if I forget after a BIOS update or CMOS reset.
    HOSTS file is a Windows feature. UEFI has its own network stack not depending on OS. That's why it can download latest firmware even without booting into any OS. You need to block the sites on the router and that might require a decent router with firewall capability.
    Reply
  • drea.drechsler
    wujj123456 said:
    HOSTS file is a Windows feature. UEFI has its own network stack not depending on OS. That's why it can download latest firmware even without booting into any OS. You need to block the sites on the router and that might require a decent router with firewall capability.
    Oh wow...I didn't think about UEFI being used for this.

    My router does have a firewall but I'm not familiar with using it. I guess that's something new to learn.
    Reply
  • digitalgriffin
    For the nas attack to work your network will need a nas on it that uses that url or your internal network compromised.
    Reply
  • digitalgriffin
    For the network man in middle attack I think the DNS would have to be compromised
    Reply
  • RichardtST
    These incessant connections to the network are getting out of hand. My BIOS now automagically phones home too? Seriously? Time to start looking for a "whitelist" filter outbound firewall that only allows sites that I approve of... There has got to be a few out there. Any recommendations?
    Reply