Gigabyte Motherboards have a firmware backdoor

[Kisai]

 

Summary

 Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.

 

Quotes

Quote

Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they’ve discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard’s firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.

 

My thoughts

This is Bad with a capital B. I'm not sure why Gigabyte figured this was a good idea. User-initiated BIOS firmware update is OK, but automatically? Last thing you want is for it to download an update and then the computer is reset or powered off because the computer seems to be locked up at the bios screen. I've had previous bad experiences with Gigabyte boards flashing bioses unnecessarily (on their quad bios boards) and rendering the board unusable. I don't trust Gigabyte to do unmanned firmware updates properly, never mind how it gets the firmware.

 

Sources

https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/

https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf

[strawberrygirl]

this is a security nightmare... good thing I don't have anything from that company

[Mr Technician]

Hmm, I was looking at their Z790 Master board as a good option with 10 Gbe... This makes me nervous to say the least.

[Levent]

Isnt this a toggle in bios? At least is in my two B450 GB boards. Though I remember they are on by default.

[Mr Technician]

1 minute ago, Levent said:

Isnt this a toggle in bios? At least is in my two B450 GB boards. Though I remember they are on by default.

I would hope so. I don't want my motherboard firmware to update automatically, ever.

[mariushm]

Yeah, it's not hidden, it's known... and can be easily disabled.

[PDifolco]

Yeah, those researchers paid by "security focused" companies already found 2 million vulnerabilities noone experienced irl, mostly in order to sell their stuff, so I don't care once again...

 

 

[Mr Technician]

7 minutes ago, mariushm said:

Yeah, it's not hidden, it's known... and can be easily disabled.

So realistically, I wouldn't have anything to worry about if I disable it.

[LAwLz]

14 hours ago, Mr Technician said:

So realistically, I wouldn't have anything to worry about if I disable it.

From what I've gathered, yes. If you disable the "App Center Download & Install" feature on the motherboard this gets solved (edit: you need to also do the steps below to fully get rid of it in an already installed version of Windows).

 

What happens is that if you have that function enabled in your UEFI, the motherboard injects a program called "GigabyteUpdateService" into your system32 folder. Then it registers the program as a service, and when it is running it checks for updates from Gigabytes servers.

All that is in and of itself not really a big deal and is probably done for non-malicious purposes. However, the process doesn't check the validity of the downloaded files (at least not during downloading) which is a big no-no.

 

If you want to completely reverse and disable this you will need to:

1) Disable the app center function in your UEFI.

 

2) Delete this registry key:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GigabyteUpdateService

 

3) Delete the file located here (might not be possible if it's already running, in which case you need to stop the service from task manager or restart your PC):

%SystemRoot%\system32\GigabyteUpdateService.exe

 

 

 

Also, I already see people talking about how Gigabyte are terrible, please note that all companies mess up every once in a while. I don't see any indication of this being done maliciously but rather an oversight. 

It's getting pretty tiring seeing people go "company X is now on my shit-list" whenever any company messes up. The same company reported a breach at MSI about a month ago. Less than a month ago people were outraged at Asus for the AMD processors burning up (although that seems to have been an AMD issue that was fixed for everyone, not just Asus even though they were mostly affected). Last year ASRock motherboards were used in a large-scale attack because they contained vulnerabilities.

My point is that if your instinct is to always blacklist companies whenever they mess up, regardless of the circumstances, then you will have blacklisted pretty much every single company within a year. There needs to be more nuance in the conversations. The world isn't a Saturday morning cartoon where everything is either fantastic or the worst thing ever.

[Lurick]

1 hour ago, mariushm said:

Yeah, it's not hidden, it's known... and can be easily disabled.

Known to SOME people, please stop acting like everyone and their mother with a gigabyte board knows this as common knowledge.

[en4rab]

11 hours ago, LAwLz said:

"Also, I already see people talking about how Gigabyte are terrible, please note that all companies mess up every once in a while. I don't see any indication of this being done maliciously but rather an oversight. "
 

That not an ooopsie oversight its including a dropper in the firmware using the WPBT table to ensure their "value add" shovelware comes back even if you do a clean install.

Lenovo got caught doing the same in 2015  https://www.theregister.com/2015/08/12/lenovo_firmware_nasty/

At this point id just assume that if your ACPI tables have a WPBT table then its sketchy as and up to no good, dropping crapware on your machine.

[SorryBella]

4 hours ago, LAwLz said:

There needs to be more nuance in the conversations. The world isn't a Saturday morning cartoon where everything is either fantastic or the worst thing ever.

+1.

3 hours ago, Lurick said:

Known to SOME people, please stop acting like everyone and their mother with a gigabyte board knows this as common knowledge.

I follow Gigabyte close and dont even remember this so yeah. Be right back, i have an S2H i need to have this disabled on.

[spaghet rat]

4 hours ago, LAwLz said:

Less than a month ago people were outraged at Asus for the AMD processors burning up (although that seems to have been an AMD issue that was fixed for everyone, not just Asus even though they were mostly affected). L

tbh the asus issues go even further than that. back when i started watching ltt and getting into tech like 3 years ago i thought that hands down asus rog was the best shit money can buy for pc parts. but when i joined this forum i saw too many stories of asus products just dying or breaking randomly (not even just am5 board afaik i think i saw some intel boards affected). saying that the boards just died randomly. i still think if you get a good booard that asus products are great but they reallly need to fix their qc processes. afaik their gpus arent affected?

[spaghet rat]

4 hours ago, LAwLz said:

Less than a month ago people were outraged at Asus for the AMD processors burning up (although that seems to have been an AMD issue that was fixed for everyone, not just Asus even though they were mostly affected). L

also their rma processes have been illustrated as nightmares in the sponsor threads

[Dominik W]

5 hours ago, strawberrygirl said:

this is a security nightmare... good thing I don't have anything from that company

well now im sweating like crazy here with my gigabyte motherboard. 

 

edit: my model isn't on the list thank god

Edited June 1, 2023 by Dominik W
Added update.

[Mnky313]

5 hours ago, Kisai said:

User-initiated BIOS firmware update is OK, but automatically? Last thing you want is for it to download an update and then the computer is reset or powered off because the computer seems to be locked up at the bios screen.

Tell that to Asus who's pushing BIOS updates to laptops via Windows Update.

Don't understand why they do it but it's annoying. You get the option to not install it when it reboots however it will try to install every reboot.

[grg994]

Why is no one talking about Microsoft's responsibility here?!!

Quote

[UEFI firmware ...] load the embedded Windows executable file into memory, installing it into a WPBT ACPI table which will later be loaded and executed by the Windows Session Manager Subsystem (smss.exe) upon Windows startup.

The APCI table in this process (WPBT, Windows Platform Binary Table) is a Windows-only addition to the ACPI spec. (Linux thanks god does not support WPBT. It also has zero problems because it's missing - it is not a necessary ACPI component by any means.) So Microsoft is voluntarily offering mobo vendors that Windows will run their code provided from the firmware.

Just read the article about it 2 years ago from the same researchers: https://eclypsium.com/research/everyone-gets-a-rootkit/

Mobo vendors decide to load executable code into the OS because Windows explicitly allows this. It is not even possible officially to disable WPBT ACPI code running in Windows.

Are we seriously gonna go to the narrative like 'ehh.... but mobo vendors should use this "backdoor feature" responsibly' (?)

[Quackers101]

dont forget the recent leak by msi and other motherboard brands too, not sure if it was security codes or whatever.

[Arika]

2 hours ago, grg994 said:

Why is no one talking about Microsoft's responsibility here?!!

The APCI table in this process (WPBT, Windows Platform Binary Table) is a Windows-only addition to the ACPI spec. (Linux thanks god does not support WPBT. It also has zero problems because it's missing - it is not a necessary ACPI component by any means.) So Microsoft is voluntarily offering mobo vendors that Windows will run their code provided from the firmware.

Just read the article about it 2 years ago from the same researchers: https://eclypsium.com/research/everyone-gets-a-rootkit/

Mobo vendors decide to load executable code into the OS because Windows explicitly allows this. It is not even possible officially to disable WPBT ACPI code running in Windows.

Are we seriously gonna go to the narrative like 'ehh.... but mobo vendors should use this "backdoor feature" responsibly' (?)

i agree. how dare windows allow things to be installed...

[Paddo]

Isn't this the same thing as ASUS armoury crate on some of their Mainboards? I remember a few boards that prompted me to download armoury crate right after a clean Windows installation even if I didn't have network drivers installed.

[Kisai]

2 hours ago, Paddo said:

Isn't this the same thing as ASUS armoury crate on some of their Mainboards? I remember a few boards that prompted me to download armoury crate right after a clean Windows installation even if I didn't have network drivers installed.

possibly, as "armory crate" does download firmware, it just doesn't download the motherboard BIOS. 

In fact, on ASUS boards, it won't ever download the firmware for the motherboard. You have to download it yourself and then run AI Suite 3 to actually flash it (the BIOS's EZ Flash won't let you flash it either.) The stuff you see in the image tends to be firmware for the Aura Sync stuff and nothing else.

 

And I can imagine why. The last ASUS firmware update required updating the Intel ME firmware first, which was non-trivial.

 

Now, the experience on the laptop however? was a goddamn nightmare. On the laptop I had to replace the battery in order to update or reinstall windows. It would literately not allow any kind of recovery without updating the firmware, and the firmware would not update without a fully charged, working, battery.

 

[Eong]

Who do we even turn to now? Gigabyte with their back doors, Asus with their low quality products and MSI with the security problems too.

[gagagogo]

Tellingly there has been no response from Gigabyte. Well, I guess they're figuring out how to respond to make it look least bad. It's gonna be hard.

[Crunchy Dragon]

12 minutes ago, Eong said:

Who do we even turn to now? Gigabyte with their back doors, Asus with their low quality products and MSI with the security problems too.

In EVGA we trust?

[Eong]

7 minutes ago, Crunchy Dragon said:

In EVGA we trust?

Do they offer budget friendly boards?