Gigabyte motherboards shipped with hidden firmware backdoor

More than 270 models at risk

Researchers at cybersecurity firm Eclypsium have identified a potential backdoor-like behaviour on some Gigabyte systems in circulation, putting 271 distinct motherboard models at risk.

Firmware on the identified models was found to be initiating and running a Windows native executable during system startup, which insecurely downloads and executes additional payloads.

Although the hidden code is intended to serve as a harmless tool for updating the motherboard's firmware, researchers found that its implementation lacks proper security measures. Hackers could use this vulnerability to hijack the code and install malware, instead of the intended function.

The code in the Gigabyte systems uses similar techniques found in other OEM backdoor-like features, like the Computrace backdoor (aka LoJack DoubleAgent). It also bears similarities to firmware implants like Sednit LoJax, MosaicRegressor and Vector-EDK.

According to Eclypsium's investigation, the Gigabyte updater programme communicates with three distinct websites to check for firmware updates:

• https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://software-nas/Swhttp/LiveUpdate4

Eclypsium found that the updater downloads code to the user's system without adequate authentication.

Additionally, these downloads sometimes occur over HTTP instead of the more secure HTTPS protocol, potentially exposing users to the risk of a man-in-the-middle attack.

Besides establishing connections with the Internet, the updater has the ability to download firmware updates from a NAS device in the local network.

This introduces a potential risk, as a malicious actor could imitate the NAS and infect the victim's system with spyware or other malicious software.

Since the UEFI code resides on the motherboard itself, any malware injected into the firmware can persist even if the drives are wiped and the operating system is reinstalled. This persistence of malware within the firmware poses a significant challenge for complete eradication and requires specialised measures to ensure thorough removal.

Eclypsium has compiled a comprehensive list of the affected models, which includes up to 271 motherboards encompassing both Intel and AMD platforms.

This list includes models dating back to AMD 400-series chipsets. Notably, even the latest Intel 700-series and AMD 600-series motherboards are not exempt from this vulnerability, highlighting the broad scope of the issue.

Eclypsium initially detected the anomaly in April. Gigabyte has acknowledged and taken steps to address the issue. The two companies are working together to address the insecure implementation and improve the affected systems' overall security.

Individuals and organisations should exercise caution when using Gigabyte systems with the affected motherboards.

As a precautionary measure, concerned parties can block access to the URLs mentioned earlier, which are utilised to check for updates.

Doing so can mitigate some of the potential risks associated with the insecure implementation, while waiting for Gigabyte to issue a fix.

Users are also advised to take the following precautions:

• Conduct regular system scans and monitoring for any signs of affected Gigabyte systems or suspicious firmware behaviour.
• Update systems with the latest validated firmware and software versions provided by Gigabyte.
• Review their UEFI/BIOS settings for any options related to the App Center Download & Install feature. If such an option exists, it is recommended to disable it. This helps mitigate potential vulnerabilities associated with this particular feature.