Backdoor Firmware Found on Millions of PC Motherboards
Cybercriminals have increasingly employed a devious tactic by concealing malicious programs within a computer's UEFI firmware—the fundamental code responsible for booting the operating system. However, the situation becomes even more alarming when a motherboard manufacturer not only includes its hidden backdoor in the firmware of millions of computers but fails to secure that entrance properly.
Recently, a team of cybersecurity researchers specializing in firmware has discovered a concealed mechanism embedded in the firmware of motherboards manufactured by Gigabyte, a renowned Taiwanese company widely used in gaming PCs and high-performance computers. Upon restarting a computer with the affected Gigabyte motherboard, the hidden code within the firmware discreetly triggers an updater program on the computer. Subsequently, this program downloads and executes another piece of software without the user's knowledge or consent.
Table of Contents
Intentions Good, Implementation Not So Much
While the hidden code discovered in the Gigabyte motherboard firmware was presumably intended as a harmless tool for firmware updates, researchers have identified significant security flaws in its implementation. These vulnerabilities create a potential risk of malicious actors exploiting the mechanism, who could utilize it to install malware instead of the intended Gigabyte program.
Compounding the issue is the fact that the updater program is initiated from the computer's firmware, operating outside the realm of the user's operating system. This makes it incredibly challenging for users to detect or remove the problematic code, further exacerbating the potential impact of the security vulnerability.
More Than 270 Models Involved
To see if your computer's motherboard contains the backdoor in question, navigate to "Start" in Windows and access "System Information."
While investigating firmware-based malicious code, researchers made a significant discovery regarding Gigabyte's concealed firmware mechanism. This finding is particularly notable as sophisticated hackers frequently employ similar tactics. Surprisingly, the researchers' automated detection scans flagged Gigabyte's updater mechanism for engaging in suspicious activities reminiscent of state-sponsored hacking tools. Specifically, it involved hiding within the firmware and silently executing a program that downloads code from the internet.
Gigabyte's updater mechanism alone has ignited concerns among users who are apprehensive about the prospect of silent code installations through an almost imperceptible tool. Furthermore, there is a genuine fear that Gigabyte's mechanism could fall victim to exploitation by hackers who infiltrate the motherboard manufacturer, leveraging its hidden access for a nefarious software supply chain attack. However, Eclypsium's investigation unearthed an even more alarming revelation. The update mechanism, designed to enhance user experience, contains glaring vulnerabilities that have the potential to be maliciously hijacked. Shockingly, it downloads code to the user's machine without undergoing proper authentication, and in some instances, it even utilizes an insecure HTTP connection instead of the more secure HTTPS.
This gaping security hole allows malevolent actors to orchestrate man-in-the-middle attacks, allowing them to deceive unsuspecting users by spoofing the installation source. In essence, even a rogue Wi-Fi network could become an instrument of danger, intercepting the user's internet connection and compromising their system integrity.
In other instances, Gigabyte's firmware mechanism enables the updater to fetch downloads from a local network-attached storage device (NAS). This feature, seemingly aimed at facilitating updates within business networks, avoids extensive internet access by all machines. However, when this occurs, a malicious actor on the same network can deceitfully manipulate the NAS location, surreptitiously replacing authorized updates with their own malware.
A Fix Might Work ... or Not?
Despite Gigabyte's potential efforts to address the firmware issue, firmware updates frequently terminate silently on users' machines due to the intricate nature of the process and the challenge of aligning firmware with hardware. This revelation is deeply concerning, considering the vast number of devices that could be affected. While Gigabyte likely had no malicious or deceitful intentions with their concealed firmware tool, security vulnerabilities within the concealed code beneath the operating system undermine users' fundamental trust in their machines.