Researchers uncover firmware backdoor in hundreds of Gigabyte motherboards

Eclypsium has discovered a major firmware issue in over 270 Gigabyte motherboards

The research firm Eclypsium has revealed that hundreds of Gigabyte motherboards contain a hidden mechanism within their firmware that could be exploited by hackers. This hidden feature is designed to keep the motherboard’s firmware updated, but Eclypsium found that the mechanism was implemented insecurely, and that the feature could be hijacked by attackers to install malware instead of Gigabyte’s intended software.

     Recently, the Eclypsium platform began detecting suspected backdoor-like behavior within Gigabyte systems in the wild. These detections were driven by heuristic detection methods, which play an important role in detecting new, previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised. Our follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code is present in hundreds of models of Gigabyte PCs. We are working with Gigabyte to address this insecure implementation of their app center capability.  

In their Blog post revealing the exploit, Eclypsium confirmed that 271 Gigabyte motherboards are affected by this flaw, and their list of affected motherboards includes both AM5 and AM4 AMD motherboards and Intel 300, 400, 500, 600 and 700 series motherboards. A full list of affected motherboards is available here.

Eclypsium believes that Gigabyte motherboards will require a firmware update to completely remove the unintentional flaw within Gigabyte’s affected motherboards, and that there is currently no evidence that hackers have been able to exploit this security vulnerability at this time.

Discussing the issue, Eclypsium’s head of strategy and research, John Loucaides, said the following.

     If you have one of these machines, you have to worry about the fact that it’s basically grabbing something from the internet and running it without you being involved, and hasn’t done any of this securely,

The concept of going underneath the end user and taking over their machine doesn’t sit well with most people.

When researching Gigabyte’s motherboards, Eclypsium found that Gigabyte’s insecure update mechanism contained some major vulnerabilities that allow it to be hijacked by hackers. The tool downloads code to a user’s machine without proper authentication, and was found to sometimes download code from unprotected HTTP connections, rather than more secure HTTPS connections. These traits make man-in-the-middle (MITM) attacks possible, if hackers are able to spoof an installation source and intercept a user’s internet connection. 

Eclypsium has confirmed that they have been working with Gigabyte to address these security concerns, and that Gigabyte has plans to address these security flaws. That said, it remains to be seen how quickly Gigabyte will be able to implement a firmware fix, and how quickly this fix will be rolled out to affected motherboards.

While it is clear that Gigabyte did not intend to make their motherboards vulnerable, it is concerning that Gigabyte’s hidden firmware updating tool was implemented in such an insecure way. Hopefully Gigabyte will be able to roll out a firmware fix soon, and that other motherboard manufacturers will learn from this event and not make similar mistakes.

Eclypsium’s full blog post on this Gigabyte security vulnerability is available to read here.

You can join the discussion on researchers uncovering a firmware backdoor in Gigabyte’s motherboards on the OC3D Forums.