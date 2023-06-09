Gigabyte Motherboards Came With Sloppy Backdoor Users Had No Idea About

from the trust-no-one dept

It’s always interesting to me to watch and see what gets attention in the security and privacy space. For example, everybody spent the last two years suffering absolute embolisms at the idea that TikTok was a threat to privacy, but nobody much seems to care that an absolute ocean of “smart devices,” from your router to your television, routinely come with paper-mache-grade security.

Hardware you expect to be secure (like door locks advertised as a security upgrade) routinely… aren’t. That frequently applies to core technologies you don’t spend a whole lot of time thinking about, from routers to PC components.

Last week, cybersecurity company Eclypsium issued a report that they’d discovered a hidden backdoor in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte. Code within the firmware activates each time a PC using these motherboards restarts. It’s supposed to help update the motherboard’s firmware, but it was implemented… poorly:

The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.

Whoops! The flawed implementation, as they note, doesn’t adequately inform the end user, and could then be exploited by bad actors, undermining the trust PC owners have that their core devices are inherently secure. Their blog post lists 271 models of Gigabyte motherboards are impacted by this flaw. The company isn’t responding to requests for comment.

Despite the widespread potential impact of the problem, I’m going to assume I won’t see any Senators showing up on cable news freaking out about the issue.

