Gigabyte shipped hundreds of models of motherboards with a hidden firmware backdoor

[Shawn Knight]

Facepalm: Firmware security services provider Eclypsium recently detected what it described as suspected backdoor-like behavior on some Gigabyte systems in the wild. A follow-up analysis revealed Gigabyte is using code in motherboard firmware to quietly run an updater program that connects to the Internet to download and subsequently install firmware updates.

The hidden backdoor could allow hackers to install malware on a system.

It may not sound like a big deal – heck some might even applaud Gigabyte for wanting to ensure users have the latest firmware – but there are some issues with the company's methods. According to Eclypsium, code is downloaded to users' computers without being properly authenticated. What's more, downloads occasionally happen over HTTP instead of the more secure HTTPS, which could leave you vulnerable to a man in the middle attack.

There is also the issue that Gigabyte's actions are simply going to rub some people the wrong way, even if the board maker had the best of intentions. At the end of the day, they are still using a hidden mechanism to silently download and install code from the Internet without your knowledge or consent.

Others will argue that the whole thing is not that big of a deal, and that tech companies issue firmware updates all the time. What's your take on the matter? Personally, I wouldn't be thrilled about a company updating my motherboard's firmware without my approval. What if the new firmware wasn't compatible with my hardware, or messed up my overclock?

Eclypsium said it is working with Gigabyte to address the insecure implementation of the feature. For what it's worth, Eclypsium found the backdoor on over 260 Gigabyte boards. The full list of affected motherboards has been published for your convenience.

In the meantime, concerned parties can block access to the following URLs that get pinged to check for updates:

• http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://software-nas/Swhttp/LiveUpdate4

Uneasy Gigabyte board users are also encouraged to check their UEFI / BIOS for an App Center Download & Install feature, and disable it if the option exists. It might not be a bad idea to also scan your system for malware.

Permalink to story.

https://www.techspot.com/news/98897-gigabyte-shipped-hundreds-models-motherboards-hidden-firmware-backdoor.html

 

[LetTheWookieWin]

I’m relieved to not see any Z390 boards listed, though I don’t think any new BIOS updates have been released for several years on my board.

In my opinion, though, it is absolutely unacceptable for a MB vendor to run something that can update the firmware without user knowledge, much less consent!

I’ll have to reconsider whether my next MB will be a Gigabyte board.

 

[kira setsu]

If you got mad at asus then you should get mad at gigabyte.

probably all of em for good measure.

 

[VariableSpike]

Firmware backdoor, and internet connected too, hacker paradise if that gets opened, rootkit galore for your poor pc.

A reminder that every one of the 4 brands has faults, and that the whole Asus debacle was just a good reminder of that (major brands that is), and having 4 brands with a chokehold on consumer motherboards is far from great for anyone (well apart from all the manufacturer s who just rake the cash)

 

[VariableSpike]

I’m relieved to not see any Z390 boards listed, though I don’t think any new BIOS updates have been released for several years on my board.

In my opinion, though, it is absolutely unacceptable for a MB vendor to run something that can update the firmware without user knowledge, much less consent!

I’ll have to reconsider whether my next MB will be a Gigabyte board.

Especially considering the poor QA standards for firmware updates across the board, usually you want to wait before updating

 

[wiyosaya]

Fortunately, the X570 Aorus Elite (Rev 1.0) I used to build my wife's system is not on this list. It does make me wonder, though, if there are any models that are not on the list and should be.

This has me re-thinking my plans to use a GB motherboard in any of my next builds. IMO, this is not tolerable, and not acceptable even if they had the best of intents. As that saying goes, "The road to hell is paved with good intent" I think that's definitely the case here especially since there would be little any owner of one of these MBs could do to stop a malicious exploitation of the situation.

 

[trparky]

Both of those URLs show up as HTTP 404 File Not Found.

 

[mailpup]

Both of those URLs show up as HTTP 404 File Not Found.

Hmm. The ones in the article? I don't doubt you but they work fine for me.

 

[trparky]

Hmm. The ones in the article? I don't doubt you but they work fine for me.

https://api.hackertarget.com/httpheaders/?q=https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4

Gives back a 404 error.

 

[return]

Backdoor to put out fires that their power supplies cause?

 

[DukeJukem]

Ok. recommending to disable their software in the bios basically says to me this only happens if that option is enabled. asus has armory crate that can auto install itself too if its not disabled and that program also checks for firmware updates for your board. I highly doubt these gigabyte boards, with the software auto installl turned off in bios, is installing anything at all on anyones computer let alone this "backdoor." I also highly doubt their software is auto installing these said firmware updates. show me a report.

lastly, windows update also installs firmware updates, most of which were optional and you have to force but they dont mess with the bios itself. this whole article is nothing to be concerned with lol. you don't want something doing something on the internet behind your back? don't install it. the motherboard isn't executing these actions on its own. it needs software.

 

[Hodor]

Gigabyte shipped hundreds of models of motherboards with a hidden firmware backdoor, as opposed to competition which have open-source firmware backdoor.

 

[Darth Shiv]

Why would they use a http endpoint ffs...

 

[Kam7r]

"Gigabyte board users are also encouraged to check their UEFI / BIOS for an App Center Download & Install feature" so no big deal for me, I always block this feature on all my builds for me or my customers

 

[loki1944]

Well what if all mobos have back doors; and we just haven't been told?

 

[elisenlebkuch]

Do I have to update my firmware now or is it enough to disable the utility downloader option in my bios settings?

 

[wiak]

"Others will argue that the whole thing is not that big of a deal, and that tech companies issue firmware updates all the time. What's your take on the matter? Personally, I wouldn't be thrilled about a company updating my motherboard's firmware without my approval. What if the new firmware wasn't compatible with my hardware, or messed up my overclock?"

lol basicly what microsoft has been doing with windows all along, update windows = not working printers, buggy deleting files etc lol

 

[brucek]

So a disgruntled employee, a competitor, or a hacker with an exploit who got control of the download server could brick millions of Gigabyte systems via a mechanism that Gigabyte is solely responsible for given the lack of disclosure or consent from the end user or any other party. I assume this would put Gigabyte out of business overnight, and/or destroy their brand reputation.

What was the benefit Gigabyte thought they were getting that makes this risk worth it?

~

 

[Todd Sauve]

Gigabyte's factories are based in China. Is this another backdoor into spying on people's PCs that the communists have engineered?

 

[user556]

Notably, it's a backdoor inserted in Windoze via an EFI feature of Windoze. So not a backdoor of the firmware. It has no effect on other OSes.

 

[Bamda]

Glad I never buy from that brand.

 

[Hodor]

Well what if all mobos have back doors; and we just haven't been told?

Exactly so. It's the same when you hear that 3-letter agencies have an open access to any iPhone. What about Android? The article doesn't mention it. So, it's a biased article. But you can bet your horse (you do have a horse, right?) that Android has even more security holes. Even though it's allegedly "open source".

But you don't really see the exact source code of the firmware already in the phone. Nor can you see the exact source code of the update. All the little changes different from the publicly available code stay hidden. Legally speaking, they should be published. In an ideal world. We just need to find that ideal world and move there.