Hardware company Gigabyte will have to answer some tough questions.
The first and most difficult one is, "Why did you put a backdoor in your own motherboard firmware without telling anyone?" The second is, "Why didn't you lock the backdoor in any meaningful way, hoping that it would remain secure simply because they don't know?"
These questions and more were raised by security research firm Eclysium when they discovered the backdoor in question in Gigabyte's UEFI firmware, which exists in hundreds of models motherboards on the market.
Eclysium he says that codes used by Gigabyte to install firmware updates over the Internet or from a local network storage. However, according to them researchers, the tool is not secure, which means that any malicious user who knows about it can load their own code onto a computer motherboard. The problem was discovered through an executable cmmovementof Windows that can install new UEFI firmware, download from some insecure Gigabyte server and install the software without any signature verification.
The researchers' publication states that this security loophole could be used by attackers to upload malware archives such as rootkits, directly on a user's machine or by hacking a Gigabyte server. "Man in the middle" attacks are also possible, which interfere with the download process and serve whatever.
Eclysium provided three Gigabyte URLs that could be blocked by users or system administrators to prevent updates from the Internet.
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
Hundreds of motherboard models are affected, including some that have just been released to retail customers as well as high-end system builders. You can see a full list from here (PDF).
Eclysium says it has notified Gigabyte of the vulnerability and that the company plans to address the issue, possibly with a firmware update.