Millions of Gigabyte PC motherboards backdoored? What’s the actual score?

FAQ You may have seen some headlines about a supply-chain backdoor in millions of Gigabyte motherboards. Here’s the lowdown.

What’s the problem?

Gigabyte ships a wide range of motherboard models that come with an App Center utility, which is supposed to keep the system’s firmware, drivers, and related software up to date. It checks for updates and offers to fetch and install them, saving people from having to do it by hand or getting deep into their BIOS settings. Trouble is, the way Gigabyte implemented this potentially leaves people at risk of infection.

How so?

The UEFI firmware Gigabyte ships with its motherboards performs a number of actions as the system boots. On Windows PCs, this includes quietly writing a Windows program that’s embedded in the firmware to disk as GigabyteUpdateService.exe in the OS’s system32 folder, and running it. That .exe sets itself up as a Windows service and then fetches from the internet another executable, and runs it. It fetches that second program from one of these locations:

• hxxp://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• hxxps://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• hxxps://software-nas/Swhttp/LiveUpdate4

The location used depends on how it’s configured. All together, this appears to be part of App Center’s mechanism for discovering and offering system updates to install. Presumably the fetched code is run with high privileges.

How does that lead to my Windows PC being infected?

Well, if someone were able to intercept those downloads and replace the fetched code with malicious programs, they’ll achieve code execution on the victim’s Windows box, and be able to commandeer it. Such an attacker could use DNS shenanigans so that requests to mb.download.gigabyte.com are redirected to a malicious server that hands out malware instead of a legit Gigabyte executable. One of the URLs uses HTTP, which is easy for a well-placed attacker to intercept, and the other two use HTTPS albeit without proper remote server certificate validation, so again, a man-in-the-middle (MITM) attack would be possible. Someone has to go to some lengths to pull this off. It’s not impossible, but there may be easier ways to infect someone. And an attacker will likely have to make sure the fetched program passes Windows’ code-signing requirements. The firmware otherwise doesn’t do any checks to see if it’s downloading a legit binary. All in all, it’s not the most secure process, and could lead to the execution of malicious code and the deployment of spyware on an unsuspecting stranger’s machine.

Oh. Who found this weakness?

Researchers at Eclypsium, who emitted a technical advisory about it here earlier this week. To be clear, they didn’t find any actual malware or miscreants abusing this, just the unexpected dropping of an .exe on the file system from the UEFI firmware, and its connection attempts to the outside world. They’ve found no evidence that the vulnerability is being actively exploited, just that the way Gigabyte’s firmware works is insecure and makes life a little easier for would-be intruders. They concluded: “Any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.”

What can I do to protect myself?

For now, you can make sure App Center’s download-and-install feature is switched off, which prevents the firmware from running its update service and thus prevents the fetching of code from the internet. Eclypsium believes this feature is supposed to be off by default, but they said they found it enabled on the hardware they had to hand. Also if you’re able to block outbound connections to the above URLs, that might be a good idea for now. But bear in mind, it may disrupt the App Center’s update process.