Gigabyte Motherboards Found to Have Security Backdoor, Reveals Eclypsium

The security company Eclypsium has revealed that Gigabyte motherboards have a backdoor that few users know about.

Almost 300 cards on the list

The reason must be that the company wants to be able to quickly update the motherboard firmware, but according to John Loucaides from Eclypsium, the manufacturer has not done enough to secure access. The security company has one just a list of affected motherboards (271) – the list includes B, H, Z and X series motherboards from the stor manufacturer.

To Wired, Loucaides states that “if you have one of these machines, you have to worry about the fact that it basically fetches something from the web and runs it without you being involved, and that this is not done in a secure way,” explains the security expert and adds that “the concept of going around the end user and taking over their machine is something most people don’t like very much.”

“Transfer not secure”

It was during a general check of BIOS security that the researchers came across the discovery. It is actually the case that Gigabyte transfers an executable file to Windows machines, which runs when the OS starts. Then the small program (%SystemRoot%system32GigabyteUpdateService.exe) downloads and runs the code from Gigabyte to update the motherboards. It is in the download section that Eclypsium believes that security is not present.

Depending on your setup, the program downloads updates from mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4, mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4 or software-nas/Swhttp/LiveUpdate4.

We noticed that even when using the HTTPS enabled options, remote server certificate validation is not implemented correctly. Therefore, “Machine-in-the-middle” attacks are also possible in this case.

Eclipse

The “APP Center Download & Install” function in BIOS/UEFI must be active for such installations to take place. The strange thing is that the feature “appears to be disabled by default, but it was enabled on the systems we examined.”

If you have one of the cards on the list, you may want to disable the APP download function if it is switched on and you prefer to be in control yourself.