Backdoor was found in Gigabyte motherboards

As the functionality of BIOS firmware expands, an absence of sound security planning during development can leave vulnerabilities ripe for exploitation by cybercriminals.

For instance, Firmware security firm Eclypsium has unearthed a backdoor in Gigabyte motherboards. It is shocking to note that Gigabyte firmware updates still employ HTTP connections instead of the more secure HTTPS. Additionally, rigorous verification procedures are lacking post-download, rendering these devices susceptible to Man-in-the-Middle (MITM) attacks.

This security issue involves 271 models of Gigabyte motherboards. Gigabyte, having acknowledged the problem following alerts from security companies, is currently exploring remedial solutions. However, this backdoor remains unpatched.

Over the past several years, Gigabyte has equipped its motherboards with an online update feature. Every time the system boots, a segment of code within the Gigabyte firmware triggers an update program, which connects to Gigabyte servers to check for and download the latest firmware.

The dilemma lies in the fact that all servers connected by Gigabyte use HTTP for plaintext transmission. Consequently, an attacker can easily substitute the firmware by initiating a MITM hijack, causing the Gigabyte motherboard to download malicious firmware.

Even switching to HTTPS connections would do little to mitigate the problem, given Gigabyte’s inadequate security verification. However, HTTPS would offer a relative improvement over HTTP.

Furthermore, this backdoor could enable an attacker to implant malicious programs into motherboard firmware, presenting a challenge to most antivirus software. This is due to the fact that malicious programs residing within the firmware are inaccessible at the Windows level.

Given that Gigabyte is still researching how to patch this backdoor, security companies suggest that users disable the app Center download and installation feature in Gigabyte motherboard firmware. Disabling this feature prevents the automatic update program from launching, providing a viable stopgap measure.

Additionally, users can enable the BIOS password feature. Once this feature is activated, BIOS modifications are impossible without the password, albeit at the cost of convenience in daily use.

Lastly, users can block Gigabyte update servers on their routers. Once these servers are blocked, the BIOS firmware is unable to connect, thereby neutralizing any potential MITM hijacks.