Researchers have identified a hidden mechanism in the firmware of motherboards manufactured by Taiwanese company Gigabyte that is primarily designed to update motherboard firmware, which could reportedly be exploited by threat actors due to its insecure implementation.
The researchers found that when a computer with an affected Gigabyte motherboard restarts, an updater program within the firmware invisibly initiates, subsequently downloading and executing another software piece. While intended to ensure firmware updates, the mechanism’s insecurity could potentially allow malware installation instead.
Since the updater program is triggered by the computer’s firmware outside its operating system, it becomes challenging for users to detect or remove it.
Researchers identified that around 271 gigabyte motherboard models are potentially affected. This came into the limelight while scanning customer computers for firmware-based malicious code, a tool increasingly used by sophisticated hackers.
The updater mechanism’s characteristics were alarmingly similar to state-sponsored hacking tools, including its ability to hide in firmware and silently install programs that download code from the internet.
Gigabyte’s firmware update mechanism has been found to have serious vulnerabilities, such as downloading code without proper authentication and sometimes even over an unsecured HTTP connection. This could make it susceptible to man-in-the-middle attacks. It could also be compromised on a local network, potentially allowing a malicious actor to install their own malware.
Researchers have been in contact with Gigabyte, which reportedly plans to fix the issues but has yet to respond to media requests for comment. Considering the complexity of firmware updates and the millions of potentially affected devices, Loucaides fears the problem could persist on gigabyte boards for years.
This research was documented by researchers from Eclypsium