Malware hiding in a computer’s UEFI firmware, the deep code that tells a computer how to load its operating system, has become a malicious trick in the hackers’ toolkit in disguise. But when a motherboard manufacturer installs its own hidden backdoor into the firmware of millions of computers—and doesn’t put a proper lock on that hidden backdoor—they’re practically doing the hackers’ work for them.
Researchers at firmware-focused cybersecurity firm Eclypsium revealed today that they’ve discovered a hidden mechanism in the firmware of motherboards sold by Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance PCs. When a computer with an affected Gigabyte motherboard is rebooted, Eclypsium finds that the code inside the motherboard’s firmware invisibly starts an update program running on the computer and in turn downloads and executes another.
While Eclypsium says the hidden code is intended to be a harmless tool to keep the motherboard’s firmware up-to-date, the researchers found that it was executed insecurely, which could allow the mechanism to be hijacked and used to install malware instead of the intended Gigabyte software. And since the updater runs from the computer’s firmware, outside of its operating system, it is difficult for users to remove it or even detect it.
says John Lucidis, who leads strategy and research at Eclypsium. “The concept of working under the end user and taking over their device doesn’t sit well with most people.”
in that Blog post about researchEclypsium lists 271 typical GIGABYTE motherboards that the researchers say are affected. Loucaides adds that users who want to know what motherboard a computer is using can check by going to Windows Start and then System Information.
Eclypsium says it found Gigabyte’s hidden firmware mechanism while scanning customer computers for firmware-based malicious code, an increasingly popular tool used by sophisticated hackers. In 2018, for example, hackers working on behalf of Russia’s GRU military intelligence agency were caught silently installing LoJack firmware-based anti-theft software on victims’ devices as a spying tactic. Chinese state-sponsored hackers were spotted two years later reusing a firmware-based spying tool created by hacker-for-hire Hacking Team to target the computers of diplomats and NGO staff in Africa, Asia and Europe. The Eclypsium researchers were surprised to see automated scans revealing Gigabyte’s update mechanism to perform some shady behavior such as state-sponsored hacking tools – hiding in firmware and installing software that silently downloads code from the Internet.
The Gigabyte updater alone may have alarmed users who don’t trust Gigabyte to silently install code on their devices using a nearly invisible tool — or who fear that Gigabyte’s mechanism could be exploited by hackers who compromise a motherboard manufacturer to exploit its hidden access in a software supply chain attack. But Eclypsium also discovered that the update mechanism was implemented with glaring security holes that could allow it to be compromised: it downloads code to a user’s machine without properly authenticating it, sometimes even over an unprotected HTTP connection, instead of HTTPS. This would allow the installation source to be spoofed through a man-in-the-middle attack carried out by anyone who could intercept the user’s Internet connection, such as a rogue Wi-Fi network.
In other cases, the updater installed by the mechanism is configured in Gigabyte’s firmware to be downloaded from a local network attached storage (NAS) device, a feature that seems designed for business networks to manage updates without all of their machines accessing the Internet. But Eclypsium warns that in these cases, a malicious actor on the same network could impersonate the NAS to invisibly install its own malware instead.
Eclypsium says it is working with Gigabyte to disclose its findings to the motherboard manufacturer, and that Gigabyte said it plans to fix the issues. Gigabyte did not respond to WIRED’s multiple requests for comment on the Eclypsium results.
Even if Gigabyte fixes its own firmware issue — after all, the problem stems from a Gigabyte tool meant to automate firmware updates — Eclypsium’s Loucaides points out that firmware updates are often silently aborted on users’ machines, in many cases Because of the complexity and difficulty of matching firmware and hardware. “I still think this will end up being a fairly common problem on GIGABYTE motherboards for years to come,” says Lukaides.
Given the millions of potentially affected devices, the Eclypsium discovery is “alarming,” says Rich Smith, chief security officer at supply chain-focused cybersecurity startup Crash Override. Smith published a search for firmware vulnerabilities and reviewed the results for Eclypsium. The situation compares with Sony Rootkit scandal in the mid-2000s. Sony hid the DRM code on CDs that were installed invisibly on users’ computers, thus creating a vulnerability that hackers used to hide their malware. “You can use techniques that have been used traditionally by malicious actors, but that was not acceptable, it went too far,” says Smith. “I can’t speak to why Gigabyte chose this method to deliver its software. But to me, this feels like crossing a similar line in the firmware space.”
Smith acknowledges that Gigabyte may have had no malicious or deceptive intent in the hidden firmware tool. But by leaving the vulnerabilities in the invisible code that lies beneath the operating system of many computers, they nonetheless erode an essential layer of users’ trust in their hardware. “There’s no intent here, just dirt. But I don’t want anyone writing my firmware dirty,” says Smith. “If you don’t trust your firmware, you’re building your house in the sand.”