Research from supply chain security firm Eclypsium Labs indicates that a broad range of motherboards from one of the world’s biggest manufacturers have a firmware backdoor present that impacts systems running Windows. Gigabyte motherboards are most commonly found in high-end gaming PCs, and collectively there may be millions of tainted pieces of hardware out in the wild with some 271 models impacted.
There is no word yet on exactly how this firmware backdoor made it into these products, but it seems very unlikely that it is an intentional act by a manufacturer that has been a major tech player since the 1980s (and has since issued a patch). The most likely explanations are either some sort of malicious attack that managed to infiltrate the production environment, or simply poor coding by an engineer.
Aorus, gaming, other Gigabyte motherboards impacted
The company was founded in Taiwan in 1986, and Gigabyte motherboards have since been in a wide variety of computer systems. Dell presently owns a majority share in the company, but much of its business is done selling motherboards directly to people that assemble their own computers (particularly higher-end gaming PCs). The full list of 271 boards containing the firmware backdoor includes the popular Gaming and Aorus lines among numerous other models. AMD and Intel systems are both impacted.
As of June 1, Gigabyte has begun issuing BIOS update patches for the impacted product lines. If a patch is not yet available or the board cannot be updated for some reason, Eclypsium has issued some mitigation recommendations. One immediate measure that can be taken is to enter the UEFI/BIOS setup, disable the “APP Center Download & Install” feature and set a BIOS password if one is not already present. Eclypsium also provides three URLs that administrators can block to head off potential attacks.
The attack window is somewhat limited, as a threat actor would need to be on the same network as the target to exploit the firmware backdoor. It involves a poorly protected Windows native executable that the Gigabyte motherboards drop during the standard boot-up process. An attacker on a local network could manipulate this executable to download malware payloads or firmware implants that then provide them with free-ranging access to the target system. A string of UEFI rootkits that has been appearing since 2018, ranging from the notorious LoJack wielded by Russian state-sponsored hackers to the more recent MoonBounce and BlackLotus, are tailor-made for this sort of approach.
Cause of firmware backdoor remains unknown
The Eclypsium research notes that Gigabyte does document the firmware backdoor as a feature on its website, so it is possible that an engineer simply used a technique similar to those used by malware implanters for a normal function and then failed to encrypt or secure it properly. Gigabyte was also compromised by ransomware gangs in both August and October of 2021, with sensitive internal data accessed in both cases, so malicious tampering cannot be fully ruled out. However, there is no evidence that the firmware backdoor has been exploited in any Gigabyte motherboards in the wild.
Jeff Williams, co-founder and CTO at Contrast Security, notes that this is a very unusual case: “Almost all security work is focused on inadvertent vulnerabilities created innocently by developers. However, imagine you’re a malicious developer that wants to trojan your company’s software with a backdoor. A smart attacker won’t make an obvious backdoor, they’ll just introduce a common vulnerability that looks accidental. That way they maintain plausible deniability if the backdoor is detected. The only way to tell the difference between a vulnerability from a backdoor is to try to discern that developer’s intent – which is essentially impossible. In this case, we may never know.”
In addition to the ransomware issues in 2021, several vulnerabilities in Gigabyte motherboards and drivers were uncovered in 2022. These vulnerabilities, which were similar to the firmware backdoor in that an attacker would need local access, impacted Aorus and Xtreme boards in addition to drivers used for the Gigabyte App Center. Four were assigned CVEs, and at least one of the driver vulnerabilities was targeted by Robinhood ransomware.
Gigabyte motherboards are also not the only ones to ship with vulnerabilities in recent years. Early this year, a security researcher discovered that about 290 MSI motherboard models had faulty Secure Boot default settings that could allow malware to run even if it was detected. In early 2022, a spate of BIOS flaws was found in hardware from manufacturers such as Intel, Lenovo, Dell and Siemens among others that created a similar firmware backdoor allowing persistent malware to be injected. And in 2020, a complex theoretical attack was developed that essentially undid the security of Intel’s sixth generation of chips (if the stars lined up for a threat actor).
Researchers indicate that a broad range of motherboards from one of the world's biggest manufacturers have a firmware backdoor. Collectively there may be millions of tainted pieces of hardware with some 271 models impacted. #cybersecurity #respectdataClick to TweetThough there has yet to be a known exploitation of Gigabyte motherboards in the wild using this attack, there will certainly be attempts now that the firmware backdoor has become common knowledge. Gigabyte issued a press release stating that its BIOS update will implement a stricter verification check for files downloaded from remote servers during this process, and will use cryptographic verification for remote server certificates to head off any “man in the middle” attempts that might arise.
