Millions of Gigabyte motherboards and laptops ship with a backdoor built into their UEFI firmware!
Here's what you need to know about this cybersecurity threat and what you can do about it.
Gigabyte motherboards ship with firmware backdoor!
On May 31, 2023, researchers at cybersecurity firm Eclypsium revealed that 271 Gigabyte motherboard models were compromised with UEFI firmware with an embedded backdoor.
Eclypsium’s heuristic detection methods have recently started detecting suspicious backdoor-like behavior on Gigabyte motherboards. When their researchers analyzed it, they discovered that Gigabyte’s motherboard firmware was running a native Windows executable during the system boot process. This executable then insecurely downloads and executes additional payloads.
Based on your analysis, the executable appears to be a legitimate Gigabyte module called WpbtDxe.efi:
- Check if the “Download and install the app centerThe function is “enabled”.
- downloads executable payloads from Gigabyte servers
- It has a cryptographic signature from Gigabyte.
They also discovered that the downloaded payloads also have Gigabyte's cryptographic signatures, suggesting that this firmware backdoor was implemented by Gigabyte itself.
However, Eclypsium researchers discovered that Gigabyte's implementation had a number of issues, which would make it easier for threat actors to abuse the firmware backdoor:
- One of its payload download locations lacks SSL (it uses plain HTTP, rather than the more secure HTTPS), allowing for Machine-in-the-middle (MITM) attacks.
- Remote server certificate validation was not implemented correctly even when the other two HTTPS download locations were used, allowing for MITM attacks.
- One of the download locations for its payload is an attacked storage device (NAS) on the local network, which could allow a threat actor to spoof the location of the NAS to install their own malware.
- The Gigabyte firmware itself does not verify any cryptographic signatures or validate downloaded executables.
In short, millions of Gigabyte motherboards have a cybersecurity vulnerability due to their firmware including an insecure/vulnerable OEM backdoor. As John Loucaides of Eclypsium put it:
If you have one of these machines, you should be concerned about the fact that it is basically taking something from the Internet and running it without you being involved, and it has not done any of this in a secure manner.
The concept of going beyond the end user and taking control of their machine doesn't sit well with most people.
Note: This vulnerability affects all computers using Gigabyte motherboards, including laptops.
Gigabyte Releases New Firmware to Mitigate Backdoor!
After the news broke out untimely during Computex 2023, Gigabyte quickly released new beta firmware updates for your AMD and Intel motherboards.
According to Gigabyte, the new beta firmware updates have “enhanced security mechanisms” that will “Detect and prevent malicious activities during the boot process“. He also seemed to have implemented other changes:
- Improved the signature verification process for files downloaded from your remote servers
- perform more thorough file integrity checks to prevent the introduction of malicious code
- Enabled standard cryptographic verification of remote server certificates
The new firmware has just been released for AMD 600 series motherboards, as well as Intel 500 and 400 series motherboards, but will eventually be introduced for older motherboards. The new firmware will have the description “Addresses Download Wizard Vulnerabilities Reported by Eclypsium Research“.
Since Gigabyte has no intention of removing the backdoor feature, you may want to consider Eclypsium's advice on how to best reduce the risk of malicious actors taking advantage of it:
- Scan and monitor systems and firmware updates to detect affected Gigabyte systems and backdoor-like tools built into the firmware. Update systems to the latest validated firmware and software to address security issues like this.
- Please inspect and disable the “APP Center Download and Installation” feature in UEFI/BIOS settings on Gigabyte systems and set a BIOS password to prevent malicious changes.
- Administrators can also block the following URLs:
– http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
– https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
– https://software-nas/Swhttp/LiveUpdate4
To start, you should definitely download and flash your Gigabyte motherboard or laptop with the improved firmware. Then disable Download and install the App Center in the BIOS.
Hopefully Gigabyte can quickly release new and improved firmware to mitigate, if not eliminate, the backdoor vulnerability for the 271 affected motherboard models and their future motherboards and laptops. Even so, many users may not be aware of this vulnerability or these updates.
It seems likely that threat actors will have access to this backdoor vulnerability on many Gigabyte motherboards and laptops over the next few years. Even Loucaides of Eclypsium thinks so:
I still think this will end up being a fairly widespread problem on Gigabyte boards over the next few years.
Please support my work!
Support my work via bank transfer/PayPal/credit card!
Name: Adrian Wong
Wire transfer : CIMB7064555917 (Swift code: CIBBMYKL)
Credit card/Paypal: https://paypal.me/techarp
Dr. Adrian Wong has been writing about technology and science since 1997, and even published a book with Prentice Hall called Breaking the BIOS barrier (ISBN 978-0131455368) while I was in medical school.
He continues to spend countless hours each day writing about technology, medicine, and science, in his search for facts in a post-truth world.
Recommended reading
Return to > Computer | Cyber security | ARP technology
Support Tech ARP!
Please support us with Visiting our sponsorsparticipating in the ARP Technical Forumseither donating to our fund. Thank you!
Leave feedback about this