Gigabyte Motherboards have a firmware backdoor

[jagdtigger]

19 hours ago, Kisai said:

Last thing you want is for it to download an update and then the computer is reset or powered off because the computer seems to be locked up at the bios screen.

Guess MS just missed that memo with their capsule updates.... (disabled it in UEFI)

/ON
IDK what kind of flawed twisted thinking is needed to think this is a good idea.....

[LAwLz]

3 hours ago, gagagogo said:

Tellingly there has been no response from Gigabyte. Well, I guess they're figuring out how to respond to make it look least bad. It's gonna be hard.

I think people need to calm down and give the more than 24 hours to respond.

[Arika]

8 hours ago, gagagogo said:

Tellingly there has been no response from Gigabyte. Well, I guess they're figuring out how to respond to make it look least bad. It's gonna be hard.

Spoken like someone who has never needed to get PR to send out communications.

[StDragon]

6 hours ago, LAwLz said:

I think people need to calm down and give the more than 24 hours to respond.

I blame both Gigabyte AND Microsoft, a pox on both houses.

 

Gigabyte - Because this "feature" should have been disabled by default with an explicit dialog box informing the end-user as to what to expect when enabling it.

 

Microsoft - Because allowing vendor approved rootkits should be disabled by default. If a large enterprise needs this enabled, they can do so via GPO and/or explicit Administrative elevation.

[Timme]

What's the backdoor, though?

[wykydtronik]

On 5/31/2023 at 1:19 PM, LAwLz said:

From what I've gathered, yes. If you disable the "App Center Download & Install" feature on the motherboard this gets solved (edit: you need to also do the steps below to fully get rid of it in an already installed version of Windows).

 

What happens is that if you have that function enabled in your UEFI, the motherboard injects a program called "GigabyteUpdateService" into your system32 folder. Then it registers the program as a service, and when it is running it checks for updates from Gigabytes servers.

All that is in and of itself not really a big deal and is probably done for non-malicious purposes. However, the process doesn't check the validity of the downloaded files (at least not during downloading) which is a big no-no.

 

If you want to completely reverse and disable this you will need to:

1) Disable the app center function in your UEFI.

 

2) Delete this registry key:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GigabyteUpdateService

 

3) Delete the file located here (might not be possible if it's already running, in which case you need to stop the service from task manager or restart your PC):

%SystemRoot%\system32\GigabyteUpdateService.exe

 

 

 

Also, I already see people talking about how Gigabyte are terrible, please note that all companies mess up every once in a while. I don't see any indication of this being done maliciously but rather an oversight. 

It's getting pretty tiring seeing people go "company X is now on my shit-list" whenever any company messes up. The same company reported a breach at MSI about a month ago. Less than a month ago people were outraged at Asus for the AMD processors burning up (although that seems to have been an AMD issue that was fixed for everyone, not just Asus even though they were mostly affected). Last year ASRock motherboards were used in a large-scale attack because they contained vulnerabilities.

My point is that if your instinct is to always blacklist companies whenever they mess up, regardless of the circumstances, then you will have blacklisted pretty much every single company within a year. There needs to be more nuance in the conversations. The world isn't a Saturday morning cartoon where everything is either fantastic or the worst thing ever.

Thanks for this LAwLz, just received a Gigabyte mobo this week and it still had the 2022 bios firmware on it. Updated, disabled the auto updater option in bios, and dumped the registry and System32 files.