Researchers at cybersecurity company Eclypsium have released their research findings into a hidden mechanism in the firmware of Gigibyte motherboards which has the potential to be abused in a number of ways putting millions of users devices at risk worldwide.
The problem
The code which Eclypsium researchers discovered lies within the motherboard’s firmware which initiates an update program that connects to three resources searching for firmware updates.
The three websites the code reaches out to are:
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
The way the updater does this causes concern for a few reasons:
- The data which is downloaded does not have adequate authentication meaning that it could be altered to contain malicious instructions.
- One of the sites which the updater connects to uses an HTTP connection which could be subject to a MiTM attack meaning the updater connects to a fake site to have malicious instructions downloaded, or have fake data injected into the communication stream.
- The updater has the ability to connect to a locally hosted NAS drive containing updates – this could be spoofed by an attacker with a malicious NAS drive imitating a legitimate one.
Once the updates are downloaded, they are automatically implemented to the device which could potentially lead to a level of persistence on the device by the malicious code.
The updates rewrite the UEFI code on the motherboard, so any malware injected into the firmware can persist even if the computer hard-drives are wiped and the operating system is reinstalled. This persistence of malicious code within the firmware poses a significant challenge for complete eradication and requires specialised measures to ensure complete removal.
What is UEFI?
UEFI – Unified Extensible Firmware Interface is a specification for a software program that connects a computer’s firmware to its operating system and is the replacement for the BIOS (Basic Input Output System) found on older motherboards.
UEFI functions via firmware installed on the motherboard, and like the older BIOS, UEFI is installed by the manufacturer.
When a computer is booted up, the UEFI is the code which runs to check to see which hardware components are attached and that they are functioning as expected.
For many people, the BIOS/UEFI is something rarely checked, but is crucial to the safe operation of the device.
To gain access to the UEFI typically the user must press a key (e.g. Escape, Delete, or one of the Function keys such as F8, etc.) during system boot up to access the interface through which changes can be made to the way the system behaves.
The design of the interface will differ from one manufacturer to another, but will essentially offer the same types of options.
Millions of affected devices
During their research, Eclypsium identifed 271 different motherboards affected by the vulnerable firmware updater including some of the latest Intel and AMD motherboards.
A full list of affected motherboard makes and models is listed here.
This high number of motherboards includes some systems which have been on the market for a number of years leading to a potential list of affected systems worldwide reaching in to the tens of millions.
Eclypsium initially detected the issue in April and reported their findings to Gigabyte who acknowledged the problem and has taken steps to address the issue.
The two companies are now working together to address this insecure implementation and improve the affected systems’ overall security.
Anyone using an affected motherboard should exercise caution, and as a precautionary measure, concerned parties can block access to the URLs mentioned above, until a fix is released.
Additionally, users / owners should inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter any malicious changes.