The hardware company Gigabyte will have to answer some tough questions.
The first and most difficult is, “Why did you put one backdoor cuts into your own motherboard firmware without telling anyone?” The second is, "Why didn't you lock the backdoor in any meaningful way, hoping that it would remain secure simply because they don't know?"
These questions and many more were raised by security research firm Eclysium when they discovered the backdoor in question in Gigabyte's UEFI firmware, which exists in hundreds of motherboard models on the market.
Eclysium he says that the code is used by Gigabyte to install firmware updates over the Internet or from a storage location on a local network. However, according to the researchers, the tool is not secure, which means that any malicious user who knows about it can load their own code onto a motherboard computer. The problem was discovered through a Windows bootable executable that can install new UEFI firmware, perform λήψη from some unsecure Gigabyte server and install the software without any signature verification.
The researchers' publication states that this security loophole could be used by attackers to upload malware archives such as rootkits, directly on a user's machine or by hacking a Gigabyte server. "Man in the middle" attacks are also possible, which interfere with the download process and serve whatever.
Eclysium provided three Gigabyte URLs that could be blocked by users or system administrators to prevent updates from the Internet.
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
Hundreds of motherboard models are affected, including some that have just been released to retail customers as well as high-end system builders. You can see a full list from here (PDF).
Eclysium says it has notified Gigabyte of the vulnerability and that the company plans to address the issue, possibly with a firmware update.
