Gigabyte Motherboards Came With Sloppy Backdoor Users Had No Idea About
It’s always interesting to me to watch and see what gets attention in the security and privacy space. For example, everybody spent the last two years suffering absolute embolisms at the idea that TikTok was a threat to privacy, but nobody much seems to care that an absolute ocean of “smart devices,” from your router to your television, routinely come with paper-mache-grade security.
Hardware you expect to be secure (like door locks advertised as a security upgrade) routinely… aren’t. That frequently applies to core technologies you don’t spend a whole lot of time thinking about, from routers to PC components.
Last week, cybersecurity company Eclypsium issued a report that they’d discovered a hidden backdoor in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte. Code within the firmware activates each time a PC using these motherboards restarts. It’s supposed to help update the motherboard’s firmware, but it was implemented… poorly:
The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.
Whoops! The flawed implementation, as they note, doesn’t adequately inform the end user, and could then be exploited by bad actors, undermining the trust PC owners have that their core devices are inherently secure. Their blog post lists 271 models of Gigabyte motherboards are impacted by this flaw. The company isn’t responding to requests for comment.
Despite the widespread potential impact of the problem, I’m going to assume I won’t see any Senators showing up on cable news freaking out about the issue.
This is firmware we’re talking about. The ability to detect malware in it is exceptionally limited.
And how about this scenario: if the malware installs an update that implements the missing crypto digital signature checking, then congratulations! you’re locked out unless you’re willing (and able) to reflash your bios not just manually, but with external means. You know, unseating the chips, hotwiring them, etc…
I just posted another comment before seeing yours. This is Windows malware embedded in the firmware, not anything being run in or by the firmware. The idea of “Hardware you expect to be secure… routinely… aren’t” [sic] doesn’t really apply.
It is, in fact, trivial to detect. Just look for a WPBT entry in your system’s ACPI tables. On Linux, for example:
sudo acpidump | grep ‘^WPBT’
I see a result on my ASUS motherboard, and a web search shows 5-year-old reports of ASUS using it. People who intend to use Windows, or research its security, should probably be auditing these embedded programs (and drivers, many of which are written just well enough so Microsoft won’t reject them entirely). It’s a normal Windows binary, and the usual reverse-engineering tools should work. Alternately, patch Windows to ignore WPBT, or patch your firmware to remove it.
That’s half the problem. But if you read closer, the firmware is taking advantage of the same Windows backdoor used by anti-theft malware. That is: firmware can embed arbitrary Windows programs, and Windows will automatically run them without notification or any possibility of opting out. The idea is that if someone steals your laptop and installs a “clean” copy of Windows, they’ll run this unwanted software and get caught. Of course, worse malware has also used it.
I recall some weak outrage the last time this became known, but, ultimately, nothing came of it. I’m sure Microsoft has quantified the outrage and determined that few people will actually stop using their software. Therefore, there’s no reason to change anything, and the feature remains.
I don’t count this as a true “firmware backdoor”; just bundled crapware which, if installed via one backdoor (that doesn’t exist on any non-Windows operating system), provides another backdoor. That users didn’t know simply means they weren’t looking, because this isn’t steathly at all: anyone who dumps the ACPI tables should be able to see what it’s asking Windows to run. It’s not quite as scary as a backdoor using, for example, the Intel Management Engine and its own network stack.
