RGB is a massive security backdoor

[Trixanity]

A guy just discovered that all the RGB controls on motherboards are designed so poorly that people can use it as a backdoor into the motherboard.

Quote

I got frustrated at Gigabyte's RGB control stuff (I just REALLY want to turn my GPU LEDs off!) so I caved in and started reverse engineering RGB Fusion and OH GOD WHY DID I DO THAT IT IS SO HORRIBLY CURSED

Quote

1) They expose PCH GPIOs so they can bit-bang WS2812B LEDs from usermode.

2) Driver also gives direct read/write access to one of the smbus ports. Actually it might be more than one.

3) They expose some sort of ICSP flashing interface to an MCU?!

4) Driver object has no DACL.

It sounds like it's possible to upload various pieces of software through whatever interface/API the RGB control uses. The RGB software has even been discovered to be quite buggy resulting in the software causing bootloops and therefore resetting CMOS to get out of the loop. So that you can mess with the RGB in that fashion can lead to a host of problems and possible attacks.

 

Read more in the Twitter thread.

 

Source: https://twitter.com/gsuberland/status/1175570500292108289

[Jarno.]

You might  already have a larger issue when people can get to physical distance of your PC. Pretty much no security can protect against that. But interesting post makes me wonder what it took to figure this out.

[Trixanity]

44 minutes ago, Jarno. said:

You might  already have a larger issue when people can get to physical distance of your PC. Pretty much no security can protect against that. But interesting post makes me wonder what it took to figure this out.

From what I understand they'd not necessarily need physical access. I'm assuming the RGB software has admin privileges to write to the firmware and it's unlikely that the software itself is very secure so from there it's just about having remote access to the computer (or the software itself) one way or another.  That RGB software can even get this much access is absolutely crazy. I'd like more high level details to completely understand the attack vector.

 

So far this seems limited to Gigabyte motherboards (however it might be more widespread). An RGB keyboard or mouse seems to use a much simpler and more appropriate API.

 

Regarding how and why: a clever guy being tired of the LEDs and trying to nuke the RGB software. You can get a lot of things done when you're irritated. Frustration is a powerful motivator.

[Jarno.]

1 minute ago, Trixanity said:

From what I understand they'd not necessarily need physical access. I'm assuming the RGB software has admin privileges to write to the firmware and it's unlikely that the software itself is very secure so from there it's just about having remote access to the computer (or the software itself) one way or another.  That RGB software can even get this much access is absolutely crazy. I'd like more high level details to completely understand the attack vector.

 

So far this seems limited to Gigabyte motherboards (however it might be more widespread). An RGB keyboard or mouse seems to use a much simpler and more appropriate API.

 

Regarding how and why: a clever guy being tired of the LEDs and trying to nuke the RGB software. You can get a lot of things done when you're irritated. Frustration is a powerful motivator.

If that is true then its crazy yes. Software should not be able to get that level of access in my opinion.

[Trixanity]

37 minutes ago, Jarno. said:

If that is true then its crazy yes. Software should not be able to get that level of access in my opinion.

Just read some new info: apparently you don't even need admin access. Any user has access on the basis that any user should be able to change the RGB lighting hence having read/write access.

Quote

The driver executable is placed into a writable location, meaning from a non-admin account you can replace the driver with one that you can use to leverage for gaining admin / kernel code execution, e.g. the old Asus ASMMAP driver.

Quote

The driver also doesn't set an access control list (ACL) on itself while running, which is probably on purpose so that a non-admin user can change RGB patterns. It also means non-admin users can talk to the driver and abuse its features.

Quote

The whole RGB thing works by passing some data from the application to a driver, and that driver then sends the data to physical devices on the motherboard via either smbus (a low speed hardware bus) or general purpose IO (GPIO) from the chipset (PCH).

There's a lot more info but basically instead of the driver acting as a middle man to any requests from the software (and therefore acting as a gatekeeper) it just indiscriminately allows direct access to the hardware like some kind of pass-through. The bus it uses to communicate is shared so any other hardware on that bus would be compromised as well and could (if nothing else) be used to brick your stuff. Also, the NIC is supposedly on the same bus so you could use it while circumventing the OS to send packets to and from your device without you knowing it.

[Skiiwee29]

I have Asus, and I have Aura Sync disabled and not installed, though Corsair iCue or EVGA's LED software for my GPU is likely not any better. 

[mariushm]

They're not "backdoors" in the sense that they didn't intentionally program the stuff to give them control of your computer from the internet or whatever.

It's just poor programming and taking the easiest route and using cheap parts instead of doing it right, with security and care in mind.

 

 

 

[WereCatf]

32 minutes ago, VegetableStu said:

kinda wonder what's on MSI's side though

Well, considering how badly their software sucks, I wouldn't be surprised at all if it was even worse than the Gigabyte-software in this story. Also, no BIOS-option, whatsoever, to control RGB -- not even to turn it off.

[Skiiwee29]

5 minutes ago, WereCatf said:

Well, considering how badly their software sucks, I wouldn't be surprised at all if it was even worse than the Gigabyte-software in this story. Also, no BIOS-option, whatsoever, to control RGB -- not even to turn it off.

At least Asus gives us the option to disable RGB in the BIOS, thats one thing they have for them on this. 

[WereCatf]

5 minutes ago, Skiiwee29 said:

At least Asus gives us the option to disable RGB in the BIOS, thats one thing they have for them on this. 

Would be nice to have that option on my mobo. I don't have a transparent side-panel, so all the RGB-stuff is useless and only wastes power, so it'd make sense to just disable it all.

[RejZoR]

I knew avoiding RGB would make sense at some point. Presenting you exhibit 1.

[slippers_]

Looks clean asf though... 

 

Worth?

 

[Salv8 (sam)]

1 hour ago, RejZoR said:

I knew avoiding RGB would make sense at some point. Presenting you exhibit 1.

do my eyes decieve me?

another Anti-RGB person?

it can't be.

...

it is...

brother where have you been! the PCMR attacked Anti city back in 2017! it was a massacre...so many Anti-RGBians turned into slaves to create RGB equipment for the PCMR...

*sniff*

i'm sorry... so many were lost during the battle... including my wife and two kids...they... *sniff* the-they were going grow up and become knights to protect the kingdom from the PCMR and even lose their lives during a crusade... *sniff*

OH GOD WHY!!!!

OH SPONGE AND PAT!!!

WHY!!!!!!

[rcmaehl]

Well, good news for Linux users I guess. Since RGB is non-existant, just leaving it out in the open like that is helpful.

Regardless, companies should know better than this, and I'm not surprised in the slightest at janky RGB implementations

[NineEyeRon]

RGB = Really Good Backdoor 

 

 

[RejZoR]

1 hour ago, Salv8 (sam) said:

do my eyes decieve me?

another Anti-RGB person?

it can't be.

...

it is...

brother where have you been! the PCMR attacked Anti city back in 2017! it was a massacre...so many Anti-RGBians turned into slaves to create RGB equipment for the PCMR...

*sniff*

i'm sorry... so many were lost during the battle... including my wife and two kids...they... *sniff* the-they were going grow up and become knights to protect the kingdom from the PCMR and even lose their lives during a crusade... *sniff*

OH GOD WHY!!!!

OH SPONGE AND PAT!!!

WHY!!!!!!

Um, what? O_o

[The King of the Undead]

10 minutes ago, VegetableStu said:

oh crap i just realised there's a thread in general ( /)_(\

 

meh needed one in tech news anyway.

[williamcll]

What can you achieve with hacking RGB? 

[Jito463]

5 hours ago, WereCatf said:

Would be nice to have that option on my mobo. I don't have a transparent side-panel, so all the RGB-stuff is useless and only wastes power, so it'd make sense to just disable it all.

Not a big fan of RGB either, but the power waste is irrelevant, since LED's don't draw much current.  You'd likely waste more energy from the light in your refrigerator than you would from RGB, unless you have an insane amount of it in your system (or you just never use your fridge).

1 hour ago, RejZoR said:

Um, what? O_o

Yeah, I had a similar reaction.  Looks like someone needs to lay off the drugs.

4 minutes ago, williamcll said:

What can you achieve with hacking RGB? 

From my understanding, one major concern is that if a device shares the same SMBUS as the RGB, it can be controlled directly through software by non-admins, with no authentication required.

[RejZoR]

30 minutes ago, williamcll said:

What can you achieve with hacking RGB? 

It's not as much with hacking RGB itself as it is RGB features exposing system to potential unauthorized access. From what I understand they are using unusual methods to achieve RGB results and those methods can expose systems to baddies.

[Slayerking92]

What!?!?! Poorly written Chinese software is a security vulnerability? Wait till the internet hears about that.

 

[Trixanity]

3 hours ago, will4623 said:

meh needed one in tech news anyway.

Mine was in Tech News but it got moved for whatever reason.

[SansVarnic]

-= Topics Merged =-

[Salv8 (sam)]

7 hours ago, RejZoR said:

Um, what? O_o

nvr mind...

[NineEyeRon]

On 9/24/2019 at 4:08 PM, williamcll said:

What can you achieve with hacking RGB? 

You can set one light to be the wrong colour, everything else is blue but that one red light shines and they can’t work out how to change it.