Component vendor Gigabyte has some pressing questions to answer. The first and most pressing is, “Why did you put an update backdoor into your motherboard firmware without telling anyone?” The second is, “Why didn’t you block it in a meaningful way, hoping it would remain safe just by not being known?” Such questions were asked by security research firm Eclysium when they discovered the aforementioned backdoor in Gigabyte’s UEFI firmware, loaded onto hundreds of retail and enterprise motherboard models.
Eclipse says that the code is intended for Gigabytes to install firmware updates over the Internet or with attached storage on a local area network. But according to the researchers, the tool is mostly unsecured, meaning that any malicious actor with knowledge of it can potentially upload their code to a PC’s motherboard. The problem was discovered through a Windows boot executable capable of installing new UEFI firmware, downloading from an unsecured Gigabyte server, and installing the software without any signature verification.
The research blog post claims that this security vulnerability could lead to attackers using the OEM backdoor to upload malicious code as a rootkit, either directly onto a user’s machine or by compromising Gigabyte’s server. “Man in the middle” attacks, which intercept the download process via an additional vector, are also possible. Eclysium offered three Gigabyte URLs that could be blocked by users or administrators to prevent Internet-based updates.
Hundreds of motherboard models are affected, including some of the latest retail boards for high-end system builders. You can see a complete list here (PDF link). Eclysium says it has notified Gigabyte of the vulnerability and that the company plans to address the issue, presumably with (has) a firmware update.
Update: Gigabyte has reached out to PCWorld to say it has “implemented stricter security controls during the operating system boot process.” Updated firmware for Intel 500, Intel 600, and AMD 600 motherboards includes signature verification and cryptographic verification for remote server certificates.