Component supplier Gigabyte has some pressing questions to answer. The first and most pressing is, “Why did you put an updater backdoor into your own motherboard firmware without telling anyone?” The second is, “Why didn’t you lock it down in any meaningful way, hoping that it would stay secure simply by not being known?” Such questions were asked by security research firm Eclysium when they discovered said backdoor in Gigabyte’s UEFI firmware, loaded on hundreds of models of retail and enterprise motherboards.
Eclysium says that the code is meant for Gigabyte to install firmware updates either over the internet or with attached storage on a local network. But according to the researchers, the tool is mostly unsecured, meaning any malicious actor who knows about it can potentially load up their own code on a PC motherboard. The issue was discovered via a Windows startup executable that can install new UEFI firmware, downloading from an unsecured Gigabyte server and installing the software without any signature verification.
The research blog post says that this security vulnerability could lead to malefactors using the OEM backdoor to load up harmful code like rootkits, either directly onto a user’s machine or by compromising Gigabyte’s own server. “Man in the middle” attacks, intercepting the download process via an additional vector, are also possible. Eclysium offered three Gigabyte URLs that could be blocked by users or administrators to prevent internet-based updates.
Hundreds of motherboard models are affected, including some of the latest retail boards for high-end system builders. You can see a full list here (PDF link). Eclysium says it’s informed Gigabyte of the vulnerability, and that the company plans to address the issue, presumably with (ha) a firmware update.
Update: Gigabyte reached out to PCWorld to say that it has “implemented stricter security checks during the operating system boot process.” Updated firmware for Intel 500, Intel 600, and AMD 600 motherboards includes signature verification and cryptographic verification for remote server certificates.