Hardware company Gigabyte will have to answer some tough questions.
The first and most difficult one is, "Why did you put a backdoor in your own motherboard firmware without telling anyone?" The second is, "Why didn't you lock the backdoor in any meaningful way, hoping that it would remain secure simply because they don't know?"
These questions and many more were raised by security research firm Eclysium when they discovered the backdoor in question in Gigabyte's UEFI firmware, which exists in hundreds of motherboard models on the market.
Eclysium he says that the code is used by Gigabyte to install firmware updates over the Internet or from some local network storage. However, according to the researchers, the tool is not secure, which means that any malicious user who knows about it can load their own code onto a computer motherboard. The problem was discovered through a Windows boot executable that can install new UEFI firmware, download from an unsecured Gigabyte server, and install the software without any signature verification.
The researchers' publication states that this security gap could be used by attackers to upload malicious files such as rootkits, directly to a user's machine or by hacking a Gigabyte server. "Man in the middle" attacks are also possible, which interfere with the download process and serve whatever.
Eclysium provided three Gigabyte URLs that could be blocked by users or system administrators to prevent updates from the Internet.
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
Hundreds of motherboard models are affected, including some that have just been released to retail customers as well as high-end system builders. You can see a full list from here (PDF).
Eclysium says it has notified Gigabyte of the vulnerability and that the company plans to address the issue, possibly with a firmware update.
