Update, June 2, 2023: Gigabyte has released an official statement and has been in touch with us to say that it has uploaded beta BIOS options to the official Gigabyte website which addresses the security issues highlighted by the Eclypsium report. It claims that Intel 600- and 700-series and AMD 400- and 500-series firmware updates have been released and that Intel 400- and 500-series and AMD 600-series beta BIOS releases will be available soon.
A quick check of a couple of B550 boards on the Eclypsium list, however, highlights that they're still missing the new BIOS update, though I have seen the new firmware available for Intel boards.
After the Asus debacle I am waiting for a response to confirm that the use of a beta BIOS won't affect your motherboard warranty.
In terms of what Gigabyte has done to shore up the security vulnerability, it has said the following:
To fortify system security, GIGABYTE has implemented stricter security checks during the operating system boot process. These measures are designed to detect and prevent any possible malicious activities, providing users with enhanced protection:
1. Signature Verification: GIGABYTE has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents, thwarting any attempts by attackers to insert malicious code.
2. Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This guarantees that files are exclusively downloaded from servers with valid and trusted certificates, ensuring an added layer of protection.
Original story, June 1, 2023: It's not a great time to be a motherboard manufacturer. First, Asus risks burning up your Ryzen processor with overly aggressive voltage settings in its firmware (even the supposed 'fix') and now Gigabyte is accused of using the same sorts of backdoor techniques as "threat actors" looking to hack into systems.
The vulnerability has been discovered by security company, Eclypsium (via Wired), and points to millions of Gigabyte motherboards out in the wild with the same invisible firmware updating mechanism.
"We are working with Gigabyte to address this insecure implementation of their app center capability," reads its report. "In the interest of protecting organizations from malicious actors, we are also publicly disclosing this information and defensive strategies on a more accelerated timeline than a typical vulnerability disclosure."
Eclypsium has published a list of the affected motherboards (pdf warning), but basically if you have a modern Gigabyte motherboard the chances are that your current mobo is going to be on this extensive list. There are reportedly 271 different models on the list, but I've not counted because the pdf file runs over three pages and three columns of pretty small typeface. Suffice to say, it's a lot of boards.
It also doesn't matter if you're running an AMD or Intel system; the vulnerability affects both platforms.
All it would theoretically take is someone on the same network as your machine intercepting Gigabyte's insecure updater and pointing it to a different URL than the standard firmware repositories. One of the worst parts of this is that, of the three possible download locations, one of them is using a plain HTTP address, not the far more secure HTTPS.
Eclypsium has stated that it doesn't currently believe there has been an active exploit of the vulnerability, but that "an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems."
It lists the potential risk and impact as follows:
- Abuse of an OEM backdoor by threat actors: Previously, threat actors have taken advantage of legitimate but insecure/vulnerable "OEM backdoor" software built into the firmware of PCs. Most notably, Sednit group (APT28, FancyBear) exploited Computrace LoJack to masquerade as legitimate laptop anti-theft feature.
- Compromise of the OEM update infrastructure and supply chain: Gigabyte does have documentation on their website for this feature so it may be legitimate, but we cannot confirm what is happening within Gigabyte. In August 2021, Gigabyte experienced a breach of critical data by the RansomEXX group and then experienced another breach in October 2021 by the AvosLocker group.
- Persistence using UEFI Rootkits and Implants: UEFI rootkits and implants are some of the stealthiest and most powerful forms of malware in existence. They reside in firmware on motherboards or within EFI system partitions of storage media, and execute before the operating system, allowing them to completely subvert the OS and security controls running in higher layers. Additionally, since most of the UEFI code exists on the motherboard instead of storage drives, UEFI threats will easily persist even if drives are wiped and the OS is reinstalled. The rate of discovery of new UEFI rootkits has accelerated sharply in recent years as seen by the discovery of LoJax (2018), MosaicRegressor (2020), FinSpy (2021) ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023). Most of these were used to enable persistence of other, OS-based malware. This Gigabyte firmware images and the persistently dropped Windows executable enable the same attack scenario. Often, the above implants made their native Windows executables look like legitimate update tools. In the case of MosaicRegressor, the Windows payload was named "IntelUpdater.exe"
- MITM attacks on firmware and software update features: Additionally, the insecure nature of the update process opens the door to MITM techniques via a compromised router, compromised device on the same network segment, DNS poisoning, or other network manipulation. It is also important to note that the third connection option, https://software-nas/Swhttp/LiveUpdate4 , is not a fully qualified domain name, but rather, a machine name that would presumably be on the local network. This means an attacker on a local subnet could trick the implant into connecting to their system, without the need for DNS spoofing.
- Ongoing risk due to unwanted behavior within official firmware: Backdoors hidden within UEFI or other firmware can be hard to remove. Even if the backdoor executable is removed, the firmware will simply drop it again the next time the system boots up. This challenge was demonstrated before when trying to remove Computrace LoJack and Superfish tools from Lenovo laptops.
The whole thing takes place during the Windows startup process where the Gigabyte updater, without any input from the user, can go off and download and then execute payloads from different locations on the internet.
The fact that one of those locations is on an insecure HTTP address makes it easily compromised by a so-called Machine-in-the-middle attack. Though Eclypsium also notes that even on the HTTPS locations the actual remote certificate validation (the part that should theoretically make it more secure) isn't implemented properly, which makes them vulnerable to the same sort of attack, too.
It's a bit of a security nightmare if you're running an organisation on Gigabyte-based systems, though arguably less of a concern for solo PC gamers. But it's still not a good feeling knowing that an insecure Wi-Fi network could lead to anything getting loaded onto your machine without you knowing anything about it.
The recommended fix
The key thing you can do about it to help secure your personal machine is to dig into the BIOS of your PC and disable the 'APP Center Download & Install' feature. You can also set a BIOS password, which will also help avoid any future changes you haven't chosen to make.
You can enter your BIOS using the usual hammering of the Del or F2 keys during that brief startup window or, alternately restart your PC from Windows while holding down the Shift key. That will take you into a startup options screen where you can go into your UEFI BIOS.
We've reached out to Gigabyte for comment and will update as soon as we hear anything back.
