Tuesday, October 23rd 2018
ASUS Z390 Motherboards Automatically Push Software into Your Windows Installation
During testing for our Intel Core i9-9900K review we found out that new ASUS Z390 motherboards automatically install software and drivers to your Windows 10 System, without the need for network access, and without any user knowledge or confirmation. This process happens in complete network-isolation (i.e. the machine has no Internet or LAN access). Our Windows 10 image is based on Windows 10 April 2018 Update and lacks in-built drivers for the integrated network controllers.
Upon first boot, with the machine having no LAN or Internet connectivity, we were greeted by an ASUS-specific window in the bottom right corner of our screen, asking whether we'd like to install the network drivers and download "Armoury Crate". This got us curious and we scanned the system for any files that aren't part of the standard MS Windows installation. We discovered three ASUS-signed files in our Windows 10 System32 folder, which, so it seems, magically appeared on our harddrive out of thin air. Upon further investigation we also found a new, already running, system service called "AsusUpdateCheck."
These files could not have come from either our Windows image or the network, leaving the motherboard's 16-megabyte UEFI BIOS as the only suspect. The files themselves, which total around 3.6 MB in size, appear harmless, and belong to an ASUS-made program called "ASUS Armoury Crate." This program fetches the latest drivers for your hardware from ASUS servers, and installs them for you in an automated process with little user-intervention. This is a very useful feature, as it establishes a method to install network driver and other drivers easily, without the need for a physical driver disc (in times where nobody has an optical drive anymore). After digging around in the UEFI BIOS, we managed to find a fairly nondescript option "Download and Install ARMOURY CRATE app", which of course defaults to "on"; and it's not easy to find, being located in the "Tool" section of the BIOS setup.
The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.
The ASUS executable unpacks two more files, registers the "AsusUpdateCheck" service and launches it. Once the desktop is loaded, it manifests itself as a bloatware-looking notification near our system tray, requesting you to install the ASUS Armoury Crate software, by fetching the rest of its installer payload from the Internet. Interestingly, it also installs a basic driver to get the integrated network controller working, which is a nice feature. Windows 10 doesn't support the new Z390 integrated Ethernet controller out of the box. This method of writing data to protected areas of the boot drive may not be uncommon with OEM pre-built desktops and notebooks, but for the PC DIY space, in which consumers seek a higher degree of control and privacy over their hardware and software, it is a first and comes across as intrusive. It should normally take a lot of privilege for anything to write to your System32 folder without user-intervention, at least a UAC dialog authenticating the user's consent. Lenovo has used the same method in 2015, which resulted in a huge scandal. They automatically installed a rootkit, which logged data and pushed bloatware into the user's system.
Our motherboard was supplied within the European Union, and yet the software lacks a GPDR-compliant user consent dialog. If nothing else, a person's IP address will be transmitted to ASUS without consent, possibly more, including details like motherboard model, system specs and installed hardware.
We poked and prodded with the service a bit. Deleting the files (and/or the service) simply restores them at the next reboot. Clicking "cancel" in the first instance of the pop-up doesn't end the service, which keeps running in the background until you manually disable it (and it comes back at next reboot). The only way you can ensure the files stay deleted is by disabling the "ASUS Armoury Crate" option in the UEFI setup program, which disables the ACPI-WPBT table. Running the download & install, and then disagreeing with the license agreement will keep Armoury Crate installed on your system. Even when the Armoury Crate Uninstaller is run from "Programs & Software", the AsusUpdateCheck service doesn't get uninstalled, and the uninstaller also forgets to remove a second service it installed.
By default, the ASUS UEFI setup program for our motherboard has the "Download and Install Armoury Crate App" option enabled. Unsuspecting users who glossed over their UEFI setup configuration before installing their OS for the first time, will see the Armoury Crate pop-up even if their machines are not configured to access the Internet. This would do wonders for increasing the user-base of ASUS' software, but are you comfortable with something like this? Given NAND flash pricing, what stops motherboard vendors from embedding a flash-based USB mass-storage device directly onto their motherboards that installs a host of driver software and sponsored bloatware automatically?
If you put aside the privacy concerns for a moment, there are both advantages and disadvantages for what ASUS is trying to accomplish. Since it's enabled by default, this method makes installing drivers and system software easier than ever, since it also gets the network controller to work. It's particularly useful given that motherboard vendors continue to ship drivers on a DVD, and optical disc drives are on the decline, leaving people with little option but to copy their drivers onto a USB flash drive, just to get the NIC working. The application also fetches the very latest (most stable) versions of drivers found on ASUS website. The most obvious disadvantage is cybersecurity. If any of ASUS' on-chip code has security vulnerabilities that can be exploited, there is little way to fix it but with BIOS updates from ASUS.
ASUS needs to make a few changes and release UEFI BIOS updates, on the double. One option could be to disable the Armour Create option in BIOS by default, so unsuspecting users don't get these files. It could be advertised in the home-screen of the UEFI setup instead. Another option could be to properly clean up the installed files if the users chooses to not use Armoury Crate and not install them again on next reboot. Also required is a GPDR-compliant license agreement, that clarifies which data is collected, how it is processed, and whether it is shared with third parties. While this probably won't happen, some kind of ASUS warranty to include liability for any future malware that exploits WPBT to survive OS reinstalls, would go a long way.
We're sure that as a market-leading motherboard vendor, the intentions behind this couldn't have been bad. It only needs a bit of polish, and a lot of transparency with the user.
Upon first boot, with the machine having no LAN or Internet connectivity, we were greeted by an ASUS-specific window in the bottom right corner of our screen, asking whether we'd like to install the network drivers and download "Armoury Crate". This got us curious and we scanned the system for any files that aren't part of the standard MS Windows installation. We discovered three ASUS-signed files in our Windows 10 System32 folder, which, so it seems, magically appeared on our harddrive out of thin air. Upon further investigation we also found a new, already running, system service called "AsusUpdateCheck."
The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.
Our motherboard was supplied within the European Union, and yet the software lacks a GPDR-compliant user consent dialog. If nothing else, a person's IP address will be transmitted to ASUS without consent, possibly more, including details like motherboard model, system specs and installed hardware.
We poked and prodded with the service a bit. Deleting the files (and/or the service) simply restores them at the next reboot. Clicking "cancel" in the first instance of the pop-up doesn't end the service, which keeps running in the background until you manually disable it (and it comes back at next reboot). The only way you can ensure the files stay deleted is by disabling the "ASUS Armoury Crate" option in the UEFI setup program, which disables the ACPI-WPBT table. Running the download & install, and then disagreeing with the license agreement will keep Armoury Crate installed on your system. Even when the Armoury Crate Uninstaller is run from "Programs & Software", the AsusUpdateCheck service doesn't get uninstalled, and the uninstaller also forgets to remove a second service it installed.
By default, the ASUS UEFI setup program for our motherboard has the "Download and Install Armoury Crate App" option enabled. Unsuspecting users who glossed over their UEFI setup configuration before installing their OS for the first time, will see the Armoury Crate pop-up even if their machines are not configured to access the Internet. This would do wonders for increasing the user-base of ASUS' software, but are you comfortable with something like this? Given NAND flash pricing, what stops motherboard vendors from embedding a flash-based USB mass-storage device directly onto their motherboards that installs a host of driver software and sponsored bloatware automatically?
If you put aside the privacy concerns for a moment, there are both advantages and disadvantages for what ASUS is trying to accomplish. Since it's enabled by default, this method makes installing drivers and system software easier than ever, since it also gets the network controller to work. It's particularly useful given that motherboard vendors continue to ship drivers on a DVD, and optical disc drives are on the decline, leaving people with little option but to copy their drivers onto a USB flash drive, just to get the NIC working. The application also fetches the very latest (most stable) versions of drivers found on ASUS website. The most obvious disadvantage is cybersecurity. If any of ASUS' on-chip code has security vulnerabilities that can be exploited, there is little way to fix it but with BIOS updates from ASUS.
ASUS needs to make a few changes and release UEFI BIOS updates, on the double. One option could be to disable the Armour Create option in BIOS by default, so unsuspecting users don't get these files. It could be advertised in the home-screen of the UEFI setup instead. Another option could be to properly clean up the installed files if the users chooses to not use Armoury Crate and not install them again on next reboot. Also required is a GPDR-compliant license agreement, that clarifies which data is collected, how it is processed, and whether it is shared with third parties. While this probably won't happen, some kind of ASUS warranty to include liability for any future malware that exploits WPBT to survive OS reinstalls, would go a long way.
We're sure that as a market-leading motherboard vendor, the intentions behind this couldn't have been bad. It only needs a bit of polish, and a lot of transparency with the user.
75 Comments on ASUS Z390 Motherboards Automatically Push Software into Your Windows Installation
If China really wanted to do that, there are easier means in frickin official UEFI spec...He does however, speak for most I'd wager, excluding our resident "all privacy advocates hide midget porn." claimant.
At any rate this isn't a privacy problem. More a consent problem. And it's valid. We can all be happy. Just turn the frickin' option off by default.Because injustice is a fact makes everyone who complains about it a whiner? Please.
One less brand on my future motherboard list. My last Asus motherboard was 17 years ago when they really made and sell the best stuff. Since then i've been happy with MSI and Gigabyte.
Please quit trolling. A lot of board manufacturers are good. They all offer different features. Some even do good RMA service... :laugh:
It should be noted that legally speaking, this software install method is probably illegal in the EU.
That said, I could see this also being used as an attack vector. Imagine a new generation of malware that attacks this memory chip on the board. By installing itself to this memory chip, it would persist even through total reformat/reinstallation of the OS. Sounds a lot like that case our own @R-T-B was working on not too long ago... only instead of a weird one-off case, it could become common if features like this become common. What's to stop that from happening? No antivirus is 100% perfect, and the users of the computers with these features damn sure aren't, either. I wonder what this free cat screensaver is in my email? That's another reason why having to explicitly select an option in the UEFI to install would be a good thing... unless the malware could force install itself, anyways. Malware doesn't always play by the rules.
As for privacy? While I value privacy as much as the next guy on TPU, I don't think privacy is really a concern here. Sure, the potential for throwing user data at ASUS through the ASUS Armoury Crate app exists (I've never used the software, so don't shoot me if there's no telemetry there), but I think the bigger concern here is the fact that many PC enthusiasts, like, the people most likely to buy ASUS motherboards, usually don't want tons of bloatware apps running with their computer... so now PC enthusiasts who like ASUS now have to deal with this self installing ASUS Armoury Crate. As for me, I don't even like the fact that I have MSI Afterburner running at startup, but I have to live with it because I can't edit and flash my own GPU BIOS anymore like I used to in the old days (I'd find out what clocks my card was happy at, edit those into the BIOS along with a modified fan curve/min speed, flash, then uninstall whatever OC tool I used), so I'd likely be blocking this app as well. Why have unnecessary crap running? If privacy was that big of a concern, better just turn off the Internet. Every hardware and software device, even on your own network, be it your modem, router, operating system (Windows 10 says hello) or even the network driver carries the possibility of having backdoors/throwing your data somewhere/etc... and that's not even starting with what's outside your network. So yeah... I build my own computer for many reasons, but one of those reasons is because I don't want my computer coming with 50 free trials, which I didn't ask for, starting up with my computer. This move from ASUS doesn't fall in line with that too well.
connecting to the internet is unnaceptable before windows updates, not to mention malware installing itself into that uefi area
now what happens if you use some open wifi? how do you know it's downloading from asus? how did asus set it up (http/https/ftp/is it same as website support page)? what if they make a coding mistake or there's an incompatibility if your windows source install is too old or too new? but no, the disgusting troll in the thread bullying 'TPU users' as he said so by name is either retarded or has a disinformation agenda
now what's this nonsense about not being allowed to talk about priv issues, obviously it concerns the net, obviously it will be discussed on the net, why does everything need to be perfectly absolute all or nothing, what a crap excuse to be lazy... other social issues continue to have discussions & regulations changing over time, where is this 'dead' submissive talk for driving or alcohol or entertainment censorship or abortion or anything else
Keep it on topic.
Thank You.
Regardless, privacy is still managable to a limited extent if you know how.No?
The potential for it to be exploited could present a risk of exposing one's personal data and online habits. Especially to those who aren't too familiar or just starting out with computers.
EDIT: From what I read, it sounds more like ASUS is manufacturing GIGABYTE boards. ASUS is also an OEM BTW (Used to be much bigger when they owned Pegatron).
So yes, they make their motherboards and even made (and probably still do) laptop motherboards for different brands. My old toshiba laptop (from 2006) had an Asus motherboard in it.