Hidden code in many Gigabyte motherboards invisibly and insecurely downloads programs:
Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers—and doesn't even put a proper lock on that hidden back entrance—they're practically doing hackers' work for them.
Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.
While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover.
"If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the Internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people."
In its blog post about the research, Eclypsium lists 271 models of Gigabyte motherboards that researchers say are affected. Loucaides adds that users who want to see which motherboard their computer uses can check by going to "Start" in Windows and then "System Information."
From my understanding of the problem it appears to affect Windows OS, but any insecurity in the UEFI firmware is a major cause for concern [JR]
[Edited to remove duplicate paragraph-JR 2023-06-02 16:46:23Z]
(Score: 2) by Snospar on Friday June 02 2023, @01:35PM (6 children)
Lucky me, it appears my Gigabyte Motherboard is too old for this problem. I won't be buying another Gigabyte motherboard given this news... who can you trust these days?
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
(Score: 5, Informative) by JoeMerchant on Friday June 02 2023, @01:42PM (4 children)
We use a smaller (to remain unnamed) custom motherboard designing house, but they mostly copy mainstream designs - as we want them to to keep costs and more importantly unexpected firmware challenges down - but with their designs we can produce the same motherboard for 10+ years...
In any event, they customize the BIOS for us a little, but it's not really "them" - when we interface with the BIOS engineer, it seems like he's quite the hard guy to reach, many timezones away from the rest of our motherboard design team, and I get the impression he works for many different motherboard design houses...
In other words: motherboards are a globalized industry and a lot of the players rely on the same prime contractors to do their stuff - which is great for compatibility, if everybody uses the same BIOS designer then they'll have very few cross-brand compatibility issues, but... when that prime contractor cuts a corner and opens a security back door, it can affect a LOT of people.
🌻🌻 [google.com]
(Score: 2) by JoeMerchant on Friday June 02 2023, @04:11PM (3 children)
Entomological reflection: "prime contractor."
Common usage: The contractor one contracts with, as opposed to sub, and sub-sub contractors who may do the actual work.
Non-standard usage above: Prime, as in prime numbers, the smallest factor in the system - primary, the building blocks from which everything else is made.
English sux.
🌻🌻 [google.com]
(Score: 3, Funny) by kazzie on Friday June 02 2023, @05:47PM
A third definition: While going down the chain of contractors and subcontractors, only count the prime-numbered levels.
(Score: 3, Touché) by kazzie on Friday June 02 2023, @05:49PM (1 child)
A further thought: I think you have the wrong superhero [xkcd.com]
(Score: 2) by JoeMerchant on Friday June 02 2023, @07:49PM
Didn't think to check spell check to see if it was correcting my mangled pile of vowels to the correct word-meaning.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Saturday June 03 2023, @02:25AM
Maybe not MSI?
https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/ [arstechnica.com]
I think they do make it easier to install random Linux distros though: https://www.bleepingcomputer.com/news/security/msi-breaks-secure-boot-for-hundreds-of-motherboards/ [bleepingcomputer.com]
So far waiting to see if Asus has problems - I've been using Asus motherboards for more than a decade - their motherboards seem to last long enough for me.
(Score: 1) by shrewdsheep on Friday June 02 2023, @01:58PM (3 children)
It seems that this would only apply to build in Ethernet as drivers would have to be build in. But a DHCP request would have to be send which would delay boot up in a noticeable way. Alternative would be that the backdoor processor (AKA management chip etc.) runs this in the background. Then, though, the OS would start conflicting with the backdoor on network access. Hm..., maybe the backdoor virtualizes the ethernet controller... Puzzled, giving up...
(Score: 3, Interesting) by owl on Friday June 02 2023, @02:31PM
In the instance of Intel's ME system, this is exactly how it works. The ME has a separate 'virtual' mac address that is assigned to the main Ethernet port and both the ME and the otherwise unaware main OS talk to the world over the same Ethernet controller. This of course is only for those systems that don't have a second "management" Ethernet port, in which case usually for those the ME is connected to the management port.
(Score: 4, Informative) by rigrig on Friday June 02 2023, @03:21PM (1 child)
It works in multiple stages [eclypsium.com]:
1) During boot: firmware sets up some executable code to be run by Windows at startup
2) At Windows startup: the dropped code writes an executable to disk and registers it as a Windows Service
3) After Windows starts: the service downloads and runs additional payloads (over an insecure connection, without verifying the contents...)
No one remembers the singer.
(Score: 2) by JoeMerchant on Friday June 02 2023, @05:11PM
And we all blame Microsoft for the crap that goes on....
I'm guessing whoever did this thought it was so clever and obscure that nobody would ever find it.
The new rule of Cybersecurity: if it can happen, it will be discovered. It took us 40 years of personal computing to get here, 25+ years of pervasive global network usage, but here we are.
With 8 billion potential reverse-engineer code monkeys banging on your obscure secret, one of them is bound to find it eventually.
Yes, yes, not everybody is a programmer, not every programmer is a capable reverse engineer, not every reverse engineer goes around looking for stuff like this, if those ratios are all 1/100, that leaves 8000 reverse engineer monkeys banging away on systems potentially finding your obfuscations and revealing them.
🌻🌻 [google.com]
(Score: 3, Touché) by Ingar on Friday June 02 2023, @02:34PM (3 children)
I got one of the affected boards. This was my first Gigabyte board after two decades of ASUS, because I was fed up with their shenanigans.
(Score: 1) by shrewdsheep on Friday June 02 2023, @02:38PM (2 children)
Where is the list? I also have a recent Gigabyte board.
(Score: 5, Informative) by Ingar on Friday June 02 2023, @02:51PM
Gigabyte-Affected-Models.pdf [eclypsium.com]
(Score: 3, Informative) by janrinok on Friday June 02 2023, @03:16PM
(Score: 4, Informative) by Mojibake Tengu on Friday June 02 2023, @04:31PM (1 child)
More precise description would be Windows-Assisted UEFI Backdoor. And by behavior, it is pure intentional, not accidental. Without Microsoft acceptance and assistance, this would not work.
Though Gigabyte is not alone in this shady business. One of the IBM servers (Xeon, x3250 M4) I have in my kitchen rack has a complete ancient (and pretty vulnerable) Linux kernel in its EFI ROM, supposed to run some original IBM diagnostics only... It starts by default, and only after checking system configuration bypass in CMOS it restarts to continue by "normal" boot from disks.
Today, it's quite trivial to hijack or softkill this machine remotely while still living in UEFI.
Well, I am not complaining, I got it very cheaply and learned a lot about Intel hardware backdoors on it, including vulnerable Xeon CPU itself and fantastic DMA features of Intel network cards...
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by maxwell demon on Friday June 02 2023, @06:40PM
Well, the company is called Intel. [cambridge.org] What did you expect? :-)
(Don't forget to look at the first usage example on the linked page!)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by SomeGuy on Saturday June 03 2023, @12:55AM (1 child)
Give me nice small 8k auditable BIOS EPROM that just boots my computer.
Ah, but we have to have stuff so much bullshit in this modern garbage - yes it has been able to run DOOM for a while now.
(Score: 2) by JoeMerchant on Saturday June 03 2023, @02:45AM
I think you can run DOOM on the thermal monitoring co-processors these days.
🌻🌻 [google.com]
(Score: 2) by ShovelOperator1 on Saturday June 03 2023, @02:02PM
I remember these malware attempts since early 2000s. The first one was probably Phoenix "Net BIOS" which was a heavily modded 6.00PG version made after Award got merged with Phoenix [1]. It changed the start page in the IE, added two shortcuts to favorites and an icon on the desktop. There were more sophisticated versions of it [3] which installed own files making the system connect to unsolicited servers, causing people to write petitions, intentionally share the "Award's source code leak" and even force BIOS vendor to disclose some info [2].
I had these boards and all of these "permission screen" statements are just a lie - there is no permission screen at all, it happened right after the first boot without questions. That's why users decided to protest.
However, with each new attempt, the reaction from users seems to be less and less intense, making the PC vendors just shove the malware down our throats. While at first, the idea of connecting to some unknown server without user's consent was considered like a theft, now it seems to be acceptable, even ignoring the fact that in mobile services we're back in the pay-per-minute dial-up times.
[1] http://www.cexx.org/phoenix.htm [cexx.org]
[2] https://www.theregister.com/2001/07/19/phoenix_answers_all_our_phonehome [theregister.com]
[3] http://www.wenqujingdian.com/Public/editor/attached/file/20180426/20180426151425_12765.pdf [wenqujingdian.com] - page 71 onwards, quite edible by online translation services.