Millions of Gigabyte motherboards and laptops shipped with a built-in backdoor in its UEFI firmware!
Here is what you need to know about this cybersecurity danger, and what you can do about it!
Gigabyte Motherboards Shipped With Firmware Backdoor!
On 31 May 2023, researchers at the cybersecurity firm Eclypsium revealed that 271 Gigabyte motherboard models have been compromised with UEFI firmware with a built-in backdoor!
Eclypsium’s heuristic detection methods recently began flagging suspicious backdoor-like behaviour in Gigabyte motherboards. When its researchers looked into it, they found that Gigabyte motherboard firmware was executing a Windows native executable during the system start up process. This executable then insecurely downloads and executes additional payloads.
From their analysis, the executable appears to be a legitimate Gigabyte module called WpbtDxe.efi:
- it checks to see if the “APP Center Download & Install” feature is enabled
- it downloads executable payloads from Gigabyte servers
- it has a Gigabyte cryptographic signature
They also found that the downloaded payloads have Gigabyte cryptographic signatures too, which suggest that this firmware backdoor was implemented by Gigabyte itself.
However, Eclypsium researchers discovered that the Gigabyte implementation had a number of problems, which would make it easy for threat actors to abuse the firmware backdoor:
- one of its payload download locations lacks SSL (using plain HTTP, instead of the more secure HTTPS), allowing for Machine-in-the-middle (MITM) attacks
- remote server certificate validation was not implemented correctly even when the other two HTTPS download locations were used, which allows for MITM attacks
- one of its payload download locations is a local network-attacked storage device (NAS), which could allow a threat actor to spoof the location of the NAS to install their own malware
- the Gigabyte firmware itself does not verify any cryptographic signatures, or validates the downloaded executables.
In short – millions of Gigabyte motherboards have a cybersecurity vulnerability, due to their firmware which includes an insecure / vulnerable OEM backdoor. As John Loucaides from Eclypsium put it:
If you have one of these machines, you have to worry about the fact that it’s basically grabbing something from the Internet and running it without you being involved, and hasn’t done any of this securely.
The concept of going underneath the end user and taking over their machine doesn’t sit well with most people.
Note : This vulnerability affects all computers using Gigabyte motherboards, including laptops.
Gigabyte Rolls Out New Firmware To Mitigate Backdoor!
After the news blew up inconveniently during Computex 2023, Gigabyte quickly rolled out new beta firmware upgrades for its AMD and Intel motherboards.
According to Gigabyte, the new beta firmware upgrades have “improved security mechanisms” that will “detect and prevent malicious activities during the boot process“. It also appeared to have implemented other changes:
- enhanced the signature verification process for fils downloaded from its remote servers
- conduct more thorough checks of file integrity to prevent the introduction of malicious code
- enabled standard cryptographic verification of remote server certificates
The new firmware has just been released for AMD 600-series motherboards, as well as Intel 500- and 400-series motherboards, but will eventually be introduced for older motherboards. The new firmware will have the description, “Addresses Download Assistant Vulnerabilities Reported by Eclypsium Research“.
As Gigabyte does not intend to remove the backdoor feature, you might want to consider Eclypsium’s advice on how best to reduce the risk of malicious actors taking advantage:
- Scan and monitor systems and firmware updates in order to detect affected Gigabyte systems and the backdoor-like tools embedded in firmware. Update systems to the latest validated firmware and software in order to address security issues like this one.
- Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
- Administrators can also block the following URLs:
– http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
– https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
– https://software-nas/Swhttp/LiveUpdate4
For starters, you should definitely download and update your Gigabyte motherboard or laptop with the improved firmware. Then disable APP Center Download & Install in the BIOS.
Let’s hope Gigabyte will be able to quickly issue new and improved firmware to mitigate, if not remove, the backdoor vulnerability for the affected 271 motherboard models, and its future motherboards and laptops. Even so, many users might not be aware of this vulnerability or these updates.
It seems likely that threat actors will have access to this backdoor vulnerability in many Gigabyte motherboards and laptops for years to come. Even Eclypsium’s Loucaides believes so:
I still think this will end up being a fairly pervasive problem on Gigabyte boards for years to come.
Please Support My Work!
Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
Recommended Reading
- Can Restaurant Menu QR Code Hack Your Phone?!
- Former exec: China has backdoor access to TikTok data!
- MSI Users At Risk Of Rogue BIOS / Firmware Updates!
- MSI Hit By $4 Million Ransomware Attack + Data Theft!
- Can Approve New Participant block WhatsApp hackers?!
Go Back To > Computer | Cybersecurity | Tech ARP
Support Tech ARP!
Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!