Millions of PC Motherboards Were Sold With a Firmware Backdoor

erek

[H]F Junkie
Joined
Dec 19, 2005
Messages
10,785
Hmm 🤔 🧐 🤨

“Given the millions of potentially affected devices, Eclypsium’s discovery is “troubling,” says Rich Smith, who is the chief security officer of supply-chain-focused cybersecurity startup Crash Override. Smith has published research on firmware vulnerabilities and reviewed Eclypsium’s findings. He compares the situation to the Sony rootkit scandal of the mid-2000s. Sony had hidden digital-rights-management code on CDs that invisibly installed itself on users’ computers and in doing so created a vulnerability that hackers used to hide their malware. “You can use techniques that have traditionally been used by malicious actors, but that wasn’t acceptable, it crossed the line,” Smith says. “I can’t speak to why Gigabyte chose this method to deliver their software. But for me, this feels like it crosses a similar line in the firmware space.”

Smith acknowledges that Gigabyte probably had no malicious or deceptive intent in its hidden firmware tool. But by leaving security vulnerabilities in the invisible code that lies beneath the operating system of so many computers, it nonetheless erodes a fundamental layer of trust users have in their machines. “There’s no intent here, just sloppiness. But I don’t want anyone writing my firmware who’s sloppy,” says Smith. “If you don’t have trust in your firmware, you’re building your house on sand.””

Source: https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/
 
My Asus board has a similar looking service…. I may investigate it as well, I suspect that Gigabyte purchased themselves a canned updater and I bet it’s in use in more than one place.
 
As if anything coming out of China doesn't have a backdoor in it? This is expected and normal.

It's actually more difficult to insert a backdoor during the manufacturing process in a way that doesn't get discovered by the designer during random sampling than most people would guess.

This is why there is a huge difference between "made in China" and "designed in China".

I would prefer to avoid China at all in the supply chain of my electronics, but that is unfortunately next to impossible right now.

As long as you stick to western designed stuff even though it is manufactured in China, you are quite a bit safer from this bullshit.
 
It's actually more difficult to insert a backdoor during the manufacturing process in a way that doesn't get discovered by the designer during random sampling than most people would guess.

This is why there is a huge difference between "made in China" and "designed in China".

I would prefer to avoid China at all in the supply chain of my electronics, but that is unfortunately next to impossible right now.

As long as you stick to western designed stuff even though it is manufactured in China, you are quite a bit safer from this bullshit.

Yeah, like how the US government had tens of thousands of compromised Cisco network devices just a few years ago. If it exists, theres a back door for somebody.
 
It's actually more difficult to insert a backdoor during the manufacturing process in a way that doesn't get discovered by the designer during random sampling than most people would guess.

This is why there is a huge difference between "made in China" and "designed in China".

I would prefer to avoid China at all in the supply chain of my electronics, but that is unfortunately next to impossible right now.

As long as you stick to western designed stuff even though it is manufactured in China, you are quite a bit safer from this bullshit.

Western designed or Eastern designed, the only difference it makes is who is getting your data and who has access to the back doors.
 
Yeah, like how the US government had tens of thousands of compromised Cisco network devices just a few years ago. If it exists, theres a back door for somebody.

And they probably did it with a national security letter. Cisco would have to have been aware of that one, but being subject to U.S. law being forced to comply with the national security letter, and also being forced to not disclose it's existence.

As I recall the Cisco products were specifically targeted at certain customers as well. Not just inserted in every unit.

What I am saying is that a Chinese manufacturer would have a difficult time inserting something like this en masse without the non-Chinese designer noticing. They could do a few, but eventually it would be noticed that the firmware checksums didn't line up, or something like that.

Gigabyte being a Taiwanese electronics company is not subject to Chinese intelligence orders. I don't know the extent to which they have manufacturing in China. Their manufacturers in China may be forced to do something, but every company does sampling of the products manufactured for them, so eventually it would be caught.

So it's not impossible something like this might happen, but it would probably be caught rather quickly if done in large enough numbers to be truly useful as a broad spectrum spying tool.

This is why the governing jurisdiction a designer of a product is subject to is so important.

The more likely way something like this happens is in a targeted fashion. Hardware headed for specific customers is intercepted on the way and has special firmware flashed to it, and is then packed back up to look like new. This way you avoid the regular quality sampling. Sucks for the target, but your typical customer is unaffected by the vulnerability.

What Gigabyte did seems to just have been real stupid incompetence at some level, which having dealt with them in the past doesn't surprise me.

While it wouldn't have helped in this case, all of this does - however - reinforce how it is a good idea to re-flash all firmware on all devices you buy before use, even if brand new from sealed packages, and  especially if used.
 
Last edited:
Feel a bit of a step, a motherboard company keeping a way to push emergency firmware does not turn the client into a product
 
  • Like
Reactions: erek
like this
This is completely unacceptable. Even if we put aside that it was implemented poorly (ie if its making a standard HTTP connection, not using encryption to verify both destination and the validity of any firmware sent down the line etc), the core idea of having a secret, autonomous, (proprietary) firmware bound updating tool enabled by default (can it be verified disabled?) that just randomly downloads and installs things from outside the purview of the user is insane. I don't think that Gigabyte (and whomever writes their BIOS/UEFI/ firmware) was necessarily malicious but the idea that something like a firmware update should take place automatically and outside the view of the owner/admin just doensn't make any sense (even putting aside the ghastly implementation). Changing firmware can have significant ramifications and if an owner/admin wants to automate it (like in a business environment) there are ways to do that that are far more secure than a cumbersome one-size-fits-nobody attempt here.

This is all the more reason why we need to continually demand that enthusiast and mainstream hardware (to prevent it being something that first/only comes to enterprise) eliminate all of these hardware and firmware blackbox components. Intel ME and (to a lesser degree) AMD PSP have been sticking points for years as has proprietary BIOS/UEFI and init requirements, AGESA and the like. Last month AMD talked about a future with OpenSIL and that's certainly promising. Note that things being open is not necessarily a panacea (you can still have a vulnerability etc) but its much easier than having everything locked up as proprietary secret sauce and only visible to a choice few.

My Asus board has a similar looking service…. I may investigate it as well, I suspect that Gigabyte purchased themselves a canned updater and I bet it’s in use in more than one place.
Maybe mine is a bit older, but last I checked Asus offered a firmware downloader as part of their Windows utility (mostly bloatware like armorycrate etc) kit but that's within the OS. As far as from the BIOS/UEFI, there's a manual install which requires you to download a firmware file, stick it in the root of a USB drive, and then boot to the BIOS/UEFI to verify and install. I am not sure if there is anything that's even a direct download from within the BIOS/UEFI but if there is it certainly is not automatic and the user needs to invoke it; I'll have to check if there's anything like this on my X99 kit, but the rebuilds for AMD X570 and X670E may differ; I sure as hell hope they don't do anything this stupid but even after the recent techtuber over fixation on Asus board one would have thought that if there was an automatic firmware updater as its described here with Gigabyte, it wouldn't have been such an issue as all the firmware/AGESA updates would have been surreptitiously and quickly pushed without user intervention if that was the default? I should take a look anyway though.
 
  • Like
Reactions: erek
like this
Do they even use it (for the firmware at least), even during the motherboard risking to explode Am5 voltage issue, was it use to push an update to everyone ?
 
  • Like
Reactions: erek
like this
High end server boards too?
Dont see any on the list, their business and enterprise components don't do any of the auto-update stuff that the consumer and prosumer stuff does.
 
  • Like
Reactions: erek
like this
Well My Boards on the affected list Gigabyte B460M-DS3H Rev 1.0 So i guess i just wait for the fix whenever comes from Gigabyte, Though i don't use the Bios or Gigabyte Software Center or anything like that.
 
  • Like
Reactions: erek
like this
Well My Boards on the affected list Gigabyte B460M-DS3H Rev 1.0 So i guess i just wait for the fix whenever comes from Gigabyte, Though i don't use the Bios or Gigabyte Software Center or anything like that.

I only skimmed the article, but the real risk here seems to be that a man-in-the-middle attack is used, posing as the update server that the gigabyte firmware checks, making the machine install malware.

If you can find the domain name or IP it connects to (either by reading more articles or monitoring network activity) the best thing to do would probably be to temporarily firewall off that address on your router, and wait for a update that hopefully comes some day.
 
I only skimmed the article, but the real risk here seems to be that a man-in-the-middle attack is used, posing as the update server that the gigabyte firmware checks, making the machine install malware.

If you can find the domain name or IP it connects to (either by reading more articles or monitoring network activity) the best thing to do would probably be to temporarily firewall off that address on your router, and wait for a update that hopefully comes some day.
Thanks to the MSI data breach, isn't such an attack even more viable now?
Couldn't somebody use the leaked signed keys to create a "Gigabyte signed" update and push that out over a simple DNS hijacking attack?
It wouldn't affect AMD-based Gigabyte boards, but it would the millions of Intel-based ones.
If things keep going the way they are Intel may be forced to revoke those leaked keys which will create a huge mess for MSI and the users who have them in their systems.
 
Yeah i'll have to check around for articles, and see if i can find an IP it connects to, and block it via Firewall, though so far i haven't seen any unless i missed it in the articles I've read so far.

Meanwhile just be as careful as i can, and just wait i suppose if i don't see what to block to protect me til fix is out at some point, but with this many boards, don't think fix will be out too quickly as far as i know
 
  • Like
Reactions: erek
like this
Yeah i'll have to check around for articles, and see if i can find an IP it connects to, and block it via Firewall, though so far i haven't seen any unless i missed it in the articles I've read so far.

Meanwhile just be as careful as i can, and just wait i suppose if i don't see what to block to protect me til fix is out at some point, but with this many boards, don't think fix will be out too quickly as far as i know
Not an IP, but these DNS entries
The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.
 
...Crash Override...
Getting flashbacks to the latest Pentium chips, and Angelina Jolie's b00bies

Employer was acquired about a year ago. We used to be a Lenovo shop.
New company (rightly or wrongly) refuses to use them due to potential security risks; only Dells are allowed
 
The following is one the recommendations that Eclypsium Labs issued in its blog: Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
—https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

Do those of you with an affected motherboard have the option "APP Center Download & Install" (or possibly a similarly named option) in the firmware settings?
 
  • Like
Reactions: erek
like this
Getting flashbacks to the latest Pentium chips, and Angelina Jolie's b00bies

Employer was acquired about a year ago. We used to be a Lenovo shop.
New company (rightly or wrongly) refuses to use them due to potential security risks; only Dells are allowed
Lenovo has been a pain in my ass for many years. Dell from a corporate standpoint is much easier to deal with, I can't say security wise one is terribly different from another but I do know that Dell has been very good with security updates for BIOS' and such.
 
  • Like
Reactions: erek
like this
Lenovo has been a pain in my ass for many years. Dell from a corporate standpoint is much easier to deal with, I can't say security wise one is terribly different from another but I do know that Dell has been very good with security updates for BIOS' and such.
Forgot to add that we were a Lenovo shop for laptops, but Dell for desktops (very limited number).
It is indeed quite something to see up-to-date Spectre/Meltdown fixes for old (790, 7010, 7020, etc.) OptiPlexes!
 
So when you enable an option in the bios to download & install this "app center", the pc proceeds to download and install said piece of software (when running windows)?

Meh.
 
  • Like
Reactions: erek
like this
So when you enable an option in the bios to download & install this "app center", the pc proceeds to download and install said piece of software (when running windows)?

Meh.
Correct-ish. It doesn't download and install the software. My sim racing PC has a gigabyte board that does this.

Live update is like a little launcher for all gigabytes programs, RGB shit (this one can install without live update) , SIV, fan controller, bios updater, programs like that.

Theres a setting in the bios (on by default) that puts up a nag screen on windows boot to download live update. It does not download without confirmation, the bios settings just does the nag.
 
Getting flashbacks to the latest Pentium chips, and Angelina Jolie's b00bies

Employer was acquired about a year ago. We used to be a Lenovo shop.
New company (rightly or wrongly) refuses to use them due to potential security risks; only Dells are allowed
Dade's gonna be pissed someone stole his handle....
HACK THE PLANET!!



bet if we look hard enough we'd find shady shit in everything produced over there, and if it was made of here, someone would be doin it too....
back doors for everyone!
You hacked the Gibson then or what? Hmm 🤔 🧐
 
Well F me sideways.. just when I switched to a Gigabyte motherboard. (of course mine is on the list).
kinda funny. I always went with the main front runners. My latest build is the first time I went with a "no-name" brand in my 25+ years of building computers.
 
  • Like
Reactions: erek
like this
Back
Top