Support NeoGAF

[winjer]

Gigabyte Motherboards Affected by Firmware Backdoor, Over 250 Models Impacted

This security vulnerability encompasses a wide range of models containing both Intel and AMD chipsets, inclusive of the newest Z790 and X670 units. The issue stems from a poorly secured updater progra...

www.guru3d.com

This security vulnerability encompasses a wide range of models containing both Intel and AMD chipsets, inclusive of the newest Z790 and X670 units. The issue stems from a poorly secured updater program utilized by Gigabyte to maintain firmware currency.

Eclypsium, a cybersecurity research company, recently identified a firmware backdoor impacting 271 Gigabyte motherboard models. During a fresh Windows installation, users might encounter a program suggesting a download of the latest driver or firmware. Regrettably, this seemingly harmless program can potentially serve as a conduit for malevolent entities.
Upon each system restart, firmware-embedded code activates an updater program, connecting to the internet to search and download the newest motherboard firmware. According to Eclypsium, Gigabyte's approach to this updater program lacks the requisite security, offering a potential entry point for malicious software installations on susceptible systems. The complexity arises from the fact that this updater is ingrained in the motherboard's firmware, hence posing a challenge for consumer elimination.

The usage of such updater programs is not exclusive to Gigabyte, as other motherboard manufacturers incorporate similar methodologies, bringing into question the overall security of these systems. Asus' Armoury Crate software, for instance, operates similarly to Gigabyte's App Center. Eclypsium's analysis shows that Gigabyte's updater connects with three distinct sites for firmware updates:

• http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://software-nas/Swhttp/LiveUpdate4

The cybersecurity firm established that Gigabyte's updater downloads code to the user's system devoid of proper authentication, lacking cryptographic digital signature confirmation or alternative validation procedures. As a result, both HTTP and HTTPS connections remain vulnerable to Machine-in-the-Middle (MITM) attacks, with HTTP connections being especially susceptible. Additionally, beyond its online connections, the updater was found to download firmware updates from a local network's NAS device, creating potential for a harmful actor to impersonate the NAS and infect the user's system with spyware.


The updater comes as a standard tool in Gigabyte motherboards. Eclypsium has provided an extensive list of the impacted models, which consists of 271 motherboards from both Intel and AMD chipsets. These models span from older AMD 400-series chipsets to the most recent Intel 700-series and AMD 600-series motherboards, which are also affected by this issue.

Eclypsium has communicated its findings to Gigabyte, and the company is actively seeking a resolution to this issue, likely to be implemented via a firmware update. While this is being addressed, Gigabyte motherboard owners can take precautionary steps to safeguard their systems.

It is advisable, as per Eclypsium, to disable the "APP Center Download & Install" feature within the motherboard's firmware to deactivate the updater. Additionally, users can implement a BIOS-level password as a protective measure against unauthorized and harmful activities. Lastly, users can block the three aforementioned sites that the updater connects with

List of affected products here:
https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf

Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise

Updates: 1. Gigabyte has published updates related to this issue. See the Gigabyte advisory for details. 2. Eclypsium has released a PowerShell script to Github that can assist in determining whether a system is impacted. The script compares the motherboard model to the list of models known...

eclypsium.com

 

[DGrayson]

Ive never owned a GIgabyte MOBO. Usually I go for Asus or MSI.

 

[SantaC]

Ive never owned a GIgabyte MOBO. Usually I go for Asus or MSI.

after their Power supply fiasco i would never go Gigabyte.

 

[ozz ex machina]

Had to check for a second but I have Asus. My 3080 is gigabyte though.

 

[kittoo]

Do I need to worry if I always update my bios firmware through their website (download to USB th3n update)?

 

[winjer]

Do I need to worry if I always update my bios firmware through their website (download to USB th3n update)?

If you have one of the motherboards on the list, go to your BIOS and turn off "APP Center Download & Install Configuration"

 

[GymWolf]

Thank god i ended up with an msi mb...

 

[kruis]

I don't think this is a big deal in the real world. The vast, vast majority of people buying Gigabyte motherboards are not businesses but regular consumers. What's the likelihood of becoming victim to a man in the middle attack on your private network? The article give a warning about a loophole that could make the Gigabyte software installed on your PC look for a (compromised) update on your NAS instead of an official Gigabyte server. But in that case I think an attacker installing software on your local NAS is a bigger problem than a loophole in Gigayte's firmware update code.

Just don't download Gigabyte firmware files from unknown sites for a while until the loophole is closed.

 

[IllegalLemon]

Ive never owned a GIgabyte MOBO. Usually I go for Asus or MSI.

Mine isn't on that list thankfully. It's the X570 aorus Xtreme. I'll disable the updater though. It's better to be safe than sorry.

 

[kruis]

If you have one of the motherboards on the list, go to your BIOS and turn off "APP Center Download & Install Configuration"

There's no real reason to do that either. What's the likelihood of a hacker getting access to your private network, changing the routing on your internet router so so the bios on your PC downloads a hacked firmware from an unknown server instead of the real firmware from Gigabyte's server? IMO it's a rather hypothetical scenario.

 

[darrylgorn]

Did this when I got mine because the updater was clearly shit and not actually 'updating'.