Gigabyte Motherboards Widely Exposed To A Hidden Backdoor, Company Rushes To Issue BIOS Fix

Gigabyte Motherboards Widely Exposed To A Hidden Backdoor, Company Rushes To Issue BIOS Fix 1

Eclypsium, a cybersecurity firm specializing in firmware, has discovered a hidden backdoor on several Gigabyte motherboards which may lead to malware getting installed into your system.

The firmware contains code that, during system startup, initiates an updater software that, if necessary, connects to the internet and downloads the most recent version of the firmware for the motherboard. Eclypsium indicated that Gigabyte's implementation is dangerous and that hackers may use the vulnerability to infect the victim's PC with malware. Eliminating the updater isn't an option here since it is in the motherboard's firmware.

The flaw was identified in a Windows startup program attempting to update the UEFI firmware. This executable downloaded the software from an unsafe Gigabyte server and installed it without proper authentication. According to the research blog post, this security flaw might allow hackers to leverage the OEM backdoor to install malicious software like implants, either directly onto a user's computer or by infiltrating Gigabyte's server.

According to Eclypsium, the updater downloads the code to the user's PC without the required authentication. It doesn't use any additional validation techniques or cryptographic digital signature verification. Consequently, web connections are prone to Machine-in-the-Middle (MITM) attacks, compromising the data transfer with Gigabyte's server.

Eclypsium found that the updater was not only able to access the Internet but also a local NAS (Network Attached Storage) device for firmware updates which could also lead to spoofing attacks. The firm's research reveals that the Gigabyte updater application interacts with three separate websites for firmware updates:

http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4

https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4

https://software-nas/Swhttp/LiveUpdate4

The firm has also mentioned an extensive list of the affected models. The list contains several Gigabyte motherboards with older models, such as the AMD-400 series, becoming widely affected; however, the issue doesn't seem to come with the newer AMD-600 series & Intel-700 series models.

If you are worried about this problem, you shouldn't, as Gigabyte has your back. The company has released a new BIOS update to fortify the verification process. Here is what the company has changed:

Signature Verification: GIGABYTE has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents, thwarting any attempts by attackers to insert malicious code.

Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This guarantees that files are exclusively downloaded from servers with valid and trusted certificates, ensuring an added layer of protection.

Although Gigabyte didn't mention that the BIOS update is to cater to the backdoor problem, the changes hint that Gigabyte noticed the issue. Gigabyte has also released the BIOS update for older motherboards such as the Intel 500/400 and AMD 600 series hence covering most of its consumer base.

Apart from the Gigabyte BIOS update, Eclypsium has provided some temporary fixes if you want immediate results. The firm suggests users disable the "APP Center Download & Install" feature inside the motherboard's firmware to prevent updates from getting installed automatically. Users can set up a BIOS-level password for extra security to stop unwanted activity. You can also block the three websites mentioned above to prevent your updater from accessing them.