Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

RGB is a massive security backdoor

A guy just discovered that all the RGB controls on motherboards are designed so poorly that people can use it as a backdoor into the motherboard.

Quote

I got frustrated at Gigabyte's RGB control stuff (I just REALLY want to turn my GPU LEDs off!) so I caved in and started reverse engineering RGB Fusion and OH GOD WHY DID I DO THAT IT IS SO HORRIBLY CURSED

Quote

1) They expose PCH GPIOs so they can bit-bang WS2812B LEDs from usermode.

2) Driver also gives direct read/write access to one of the smbus ports. Actually it might be more than one.

3) They expose some sort of ICSP flashing interface to an MCU?!

4) Driver object has no DACL.

It sounds like it's possible to upload various pieces of software through whatever interface/API the RGB control uses. The RGB software has even been discovered to be quite buggy resulting in the software causing bootloops and therefore resetting CMOS to get out of the loop. So that you can mess with the RGB in that fashion can lead to a host of problems and possible attacks.

 

Read more in the Twitter thread.

 

Source: https://twitter.com/gsuberland/status/1175570500292108289

Link to post
Share on other sites

You might  already have a larger issue when people can get to physical distance of your PC. Pretty much no security can protect against that. But interesting post makes me wonder what it took to figure this out.

Link to post
Share on other sites
44 minutes ago, Jarno. said:

You might  already have a larger issue when people can get to physical distance of your PC. Pretty much no security can protect against that. But interesting post makes me wonder what it took to figure this out.

From what I understand they'd not necessarily need physical access. I'm assuming the RGB software has admin privileges to write to the firmware and it's unlikely that the software itself is very secure so from there it's just about having remote access to the computer (or the software itself) one way or another.  That RGB software can even get this much access is absolutely crazy. I'd like more high level details to completely understand the attack vector.

 

So far this seems limited to Gigabyte motherboards (however it might be more widespread). An RGB keyboard or mouse seems to use a much simpler and more appropriate API.

 

Regarding how and why: a clever guy being tired of the LEDs and trying to nuke the RGB software. You can get a lot of things done when you're irritated. Frustration is a powerful motivator.

Link to post
Share on other sites
1 minute ago, Trixanity said:

From what I understand they'd not necessarily need physical access. I'm assuming the RGB software has admin privileges to write to the firmware and it's unlikely that the software itself is very secure so from there it's just about having remote access to the computer (or the software itself) one way or another.  That RGB software can even get this much access is absolutely crazy. I'd like more high level details to completely understand the attack vector.

 

So far this seems limited to Gigabyte motherboards (however it might be more widespread). An RGB keyboard or mouse seems to use a much simpler and more appropriate API.

 

Regarding how and why: a clever guy being tired of the LEDs and trying to nuke the RGB software. You can get a lot of things done when you're irritated. Frustration is a powerful motivator.

If that is true then its crazy yes. Software should not be able to get that level of access in my opinion.

Link to post
Share on other sites
37 minutes ago, Jarno. said:

If that is true then its crazy yes. Software should not be able to get that level of access in my opinion.

Just read some new info: apparently you don't even need admin access. Any user has access on the basis that any user should be able to change the RGB lighting hence having read/write access.

Quote

The driver executable is placed into a writable location, meaning from a non-admin account you can replace the driver with one that you can use to leverage for gaining admin / kernel code execution, e.g. the old Asus ASMMAP driver.

Quote

The driver also doesn't set an access control list (ACL) on itself while running, which is probably on purpose so that a non-admin user can change RGB patterns. It also means non-admin users can talk to the driver and abuse its features.

Quote

The whole RGB thing works by passing some data from the application to a driver, and that driver then sends the data to physical devices on the motherboard via either smbus (a low speed hardware bus) or general purpose IO (GPIO) from the chipset (PCH).

There's a lot more info but basically instead of the driver acting as a middle man to any requests from the software (and therefore acting as a gatekeeper) it just indiscriminately allows direct access to the hardware like some kind of pass-through. The bus it uses to communicate is shared so any other hardware on that bus would be compromised as well and could (if nothing else) be used to brick your stuff. Also, the NIC is supposedly on the same bus so you could use it while circumventing the OS to send packets to and from your device without you knowing it.

Link to post
Share on other sites

t-b-rgb_12_gallery_12.jpg

the colour of the lights when people read this thread

 

preface: I have no idea on the low-level specifics to explain the stuff, so I'm relying heavily on the source

source:

 

via @GoldenLag (thanks!)

 

the technical TL;DR:

Quote

Graham Sutherland:

  1. They expose PCH GPIOs so they can bit-bang WS2812B LEDs from usermode.
  2. Driver also gives direct read/write access to one of the smbus ports. Actually it might be more than one.
  3. They expose some sort of ICSP flashing interface to an MCU?!
  4. Driver object has no DACL.

The latest item in their release changelog is "fix some security vulnerability" and I... I just can't. This whole thing is a gaint backdoor into your motherboard's internals.

 

EFB4789XsAAa1_L.png:large

*endless screaming*

the 101 version:

Quote

Graham Sutherland:

Since this thread is now circulating outside of infosec Twitter, here's a less-technical explainer on why this is a mess...

 

The driver executable is placed into a writable location, meaning from a non-admin account you can replace the driver with one that you can use to leverage for gaining admin / kernel code execution, e.g. the old Asus ASMMAP driver. The driver also doesn't set an access control list (ACL) on itself while running, which is probably on purpose so that a non-admin user can change RGB patterns. It also means non-admin users can talk to the driver and abuse its features.

 

The whole RGB thing works by passing some data from the application to a driver, and that driver then sends the data to physical devices on the motherboard via either smbus (a low speed hardware bus) or general purpose IO (GPIO) from the chipset (PCH).

 

A sane way to do this is to have the application tell the driver "hey I wanna change colours" and the driver say "ok cool I'll handle all the hardware stuff". Instead the driver just exposes all the hardware stuff to usermode and the application does all the interaction directly. This is a problem because smbus is a shared bus and the driver is giving you access to everything on that bus. So that might include security-sensitive devices. It certainly opens the opportunity to brick your hardware.

 

Another thing that uses smbus is the network controller (NIC), for the purposes of out-of-band management (Intel vPro/AMT). So you could potentially use the driver to talk to the network without the OS seeing any packets.

That's what we call a covert channel. I once gave a talk on doing exactly this from a malicious stick of RAM in a supply-chain attack. It's pretty wild. The thing I mentioned about the MCU (microcontroller) is sketchy because they're providing you with a little computer inside your computer that you can flash code to. It doesn't have access to much (it can talk to PCI-e cards that have SMBus pins wired, and that's about it). But it's a way of hiding data off of the machine in such a way that will persist across OS-reinstalls. It doesn't allow you to persist malware or anything like that but it's a neat covert storage location.

 

Having a fair bit of experience with these types of drivers, I guarantee that if I took the time to dig into it more I'd find a bunch of privilege escalation vulnerabilities in it. I may yet do this and disclose the bugs to Gigabyte. Not sure if I can be bothered.

 

 

._.

 

nope. if I'm getting a new motherboard with RGB on it, I'm not installing the RGB bloatware. heck, I think I'd just operate off the generic chipset drivers from Windows Update

or better yet, find one that can turn off the onboard lights in BIOS or a physical switch. or even better get one WITHOUT THEM.

 

kinda wonder what's on MSI's side though. they (or at least a few of their boards) depend on Corsair's implementation (i.e. iCUE)

Link to post
Share on other sites

I have Asus, and I have Aura Sync disabled and not installed, though Corsair iCue or EVGA's LED software for my GPU is likely not any better. 

PSU Tier List Thread

Please make sure to Quote me or @ me to see your reply!

 

"White Ice"

Ryzen 7 3700x | Asus Crosshair VIII Hero (Wi-Fi) | EVGA RTX 2080ti | Ballistix 32gb 16-18-16-36 3600mhz | Custom Water Cooling Loop | 1tb Samsung 970 Evo

2tb Crucial MX500 SSD | 2x 3tb Seagate Drive | Fractal Design Meshify S2 |  EVGA G2 750w PSU | 3x Corsair LL140 | 3x Corsair LL120

 

Dedicated Streaming Rig

 Ryzen 7 1800x | Asus B450-F Strix | 32gb Gskill Flare X 3000mhz | Corsair RM550x | EVGA GTX 1060 3gb | 250gb 860 Evo m.2

Phanteks Enthoo Evolv |  Elgato HD60 Pro | Elgato 4k60 Pro mk.2 | Avermedia 4k GC573 Capture Card

 

Link to post
Share on other sites

They're not "backdoors" in the sense that they didn't intentionally program the stuff to give them control of your computer from the internet or whatever.

It's just poor programming and taking the easiest route and using cheap parts instead of doing it right, with security and care in mind.

 

 

 

Link to post
Share on other sites
32 minutes ago, VegetableStu said:

kinda wonder what's on MSI's side though

Well, considering how badly their software sucks, I wouldn't be surprised at all if it was even worse than the Gigabyte-software in this story. Also, no BIOS-option, whatsoever, to control RGB -- not even to turn it off.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
5 minutes ago, WereCatf said:

Well, considering how badly their software sucks, I wouldn't be surprised at all if it was even worse than the Gigabyte-software in this story. Also, no BIOS-option, whatsoever, to control RGB -- not even to turn it off.

At least Asus gives us the option to disable RGB in the BIOS, thats one thing they have for them on this. 

PSU Tier List Thread

Please make sure to Quote me or @ me to see your reply!

 

"White Ice"

Ryzen 7 3700x | Asus Crosshair VIII Hero (Wi-Fi) | EVGA RTX 2080ti | Ballistix 32gb 16-18-16-36 3600mhz | Custom Water Cooling Loop | 1tb Samsung 970 Evo

2tb Crucial MX500 SSD | 2x 3tb Seagate Drive | Fractal Design Meshify S2 |  EVGA G2 750w PSU | 3x Corsair LL140 | 3x Corsair LL120

 

Dedicated Streaming Rig

 Ryzen 7 1800x | Asus B450-F Strix | 32gb Gskill Flare X 3000mhz | Corsair RM550x | EVGA GTX 1060 3gb | 250gb 860 Evo m.2

Phanteks Enthoo Evolv |  Elgato HD60 Pro | Elgato 4k60 Pro mk.2 | Avermedia 4k GC573 Capture Card

 

Link to post
Share on other sites
5 minutes ago, Skiiwee29 said:

At least Asus gives us the option to disable RGB in the BIOS, thats one thing they have for them on this. 

Would be nice to have that option on my mobo. I don't have a transparent side-panel, so all the RGB-stuff is useless and only wastes power, so it'd make sense to just disable it all.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
2 minutes ago, WereCatf said:

Would be nice to have that option on my mobo. I don't have a transparent side-panel, so all the RGB-stuff is useless and only wastes power, so it'd make sense to just disable it all.

I'm of the kind who would debrand (yeah that's where dbrand got their name from) most of their belongings (bags, just stuff with gaudy branding sew-ons or stickers), but if I were to go all-out crazy I might desolder stuff to turn the lights out ._.

Link to post
Share on other sites

All your base rgb are belong to us

Awareness is key. Never enough, even in the face of futility. Speak the truth as if you may never get to say it again. This world is full of ugly. Change it they say. The only way is to reveal the ugly. To change the truth you must first acknowledge it. Never pretend it isn't there. Never bend the knee.

 

Please quote my post in your reply, so that I will be notified and can respond to it. Thanks.

Link to post
Share on other sites

I knew avoiding RGB would make sense at some point. Presenting you exhibit 1.

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3600MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites
1 hour ago, RejZoR said:

I knew avoiding RGB would make sense at some point. Presenting you exhibit 1.

do my eyes decieve me?

another Anti-RGB person?

it can't be.

...

it is...

brother where have you been! the PCMR attacked Anti city back in 2017! it was a massacre...so many Anti-RGBians turned into slaves to create RGB equipment for the PCMR...

*sniff*

i'm sorry... so many were lost during the battle... including my wife and two kids...they... *sniff* the-they were going grow up and become knights to protect the kingdom from the PCMR and even lose their lives during a crusade... *sniff*

OH GOD WHY!!!!

OH SPONGE AND PAT!!!

WHY!!!!!!

*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/yJ2cQV

5U The Waifu (my new in-progress server): https://linustechtips.com/main/topic/1130931-5u-the-waifu-my-new-server/

 

Link to post
Share on other sites

Well, good news for Linux users I guess. Since RGB is non-existant, just leaving it out in the open like that is helpful.

Regardless, companies should know better than this, and I'm not surprised in the slightest at janky RGB implementations

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
1 hour ago, Salv8 (sam) said:

do my eyes decieve me?

another Anti-RGB person?

it can't be.

...

it is...

brother where have you been! the PCMR attacked Anti city back in 2017! it was a massacre...so many Anti-RGBians turned into slaves to create RGB equipment for the PCMR...

*sniff*

i'm sorry... so many were lost during the battle... including my wife and two kids...they... *sniff* the-they were going grow up and become knights to protect the kingdom from the PCMR and even lose their lives during a crusade... *sniff*

OH GOD WHY!!!!

OH SPONGE AND PAT!!!

WHY!!!!!!

Um, what? O_o

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3600MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites
10 minutes ago, VegetableStu said:

oh crap i just realised there's a thread in general ( /)_(\

 

meh needed one in tech news anyway.

I live in misery USA. my timezone is central daylight time which is either UTC -5 or -4 because the government hates everyone.

into trains? here's the model railroad thread!

Link to post
Share on other sites

What can you achieve with hacking RGB? 

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 5 3600 @ 4.1Ghz          Case: Antec P8     PSU: G.Storm GS850                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition @ 2Ghz

                                                                                                                             

Link to post
Share on other sites
5 hours ago, WereCatf said:

Would be nice to have that option on my mobo. I don't have a transparent side-panel, so all the RGB-stuff is useless and only wastes power, so it'd make sense to just disable it all.

Not a big fan of RGB either, but the power waste is irrelevant, since LED's don't draw much current.  You'd likely waste more energy from the light in your refrigerator than you would from RGB, unless you have an insane amount of it in your system (or you just never use your fridge).

1 hour ago, RejZoR said:

Um, what? O_o

Yeah, I had a similar reaction.  Looks like someone needs to lay off the drugs.

4 minutes ago, williamcll said:

What can you achieve with hacking RGB? 

From my understanding, one major concern is that if a device shares the same SMBUS as the RGB, it can be controlled directly through software by non-admins, with no authentication required.

Link to post
Share on other sites
30 minutes ago, williamcll said:

What can you achieve with hacking RGB? 

It's not as much with hacking RGB itself as it is RGB features exposing system to potential unauthorized access. From what I understand they are using unusual methods to achieve RGB results and those methods can expose systems to baddies.

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3600MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×