Plenty of Gigabyte motherboards have UEFI backdoors!

[AlwaysHope]

As per the title.. seems a LOT of modern Gigabyte platforms have this issue.
Keep in mind this is what the world now knows of from this one vendor, how many others out there have issues like this too?

Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise

Eclypsium Research discovers that Gigabyte motherboards have an embedded backdoor in their firmware, which drops a Windows executable that can download and execute additional payloads insecurely. The backdoor affects gaming PCs and high-end computers.

eclypsium.com

 

[Solaris17]

Yup

https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf

This is what happens when manufacturers use there powers for bad.

For shame gigabyte.

 

[natr0n]

I disabled that "app center" in bios. I never knew it can download shit automatically to your desktop.

I also made a pi-hole recently so aware of everything going in and out.

 

[eidairaman1]

As per the title.. seems a LOT of modern Gigabyte platforms have this issue.
Keep in mind this is what the world now knows of from this one vendor, how many others out there have issues like this too?

Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise

Eclypsium Research discovers that Gigabyte motherboards have an embedded backdoor in their firmware, which drops a Windows executable that can download and execute additional payloads insecurely. The backdoor affects gaming PCs and high-end computers.

eclypsium.com

Yup their servers were compromised, msis too...

 

[Mussels]

As per the title.. seems a LOT of modern Gigabyte platforms have this issue.
Keep in mind this is what the world now knows of from this one vendor, how many others out there have issues like this too?

Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise

Eclypsium Research discovers that Gigabyte motherboards have an embedded backdoor in their firmware, which drops a Windows executable that can download and execute additional payloads insecurely. The backdoor affects gaming PCs and high-end computers.

eclypsium.com

Asus do it too, you can disable the feature in the BIOS to stop the local file install and the subsequent internet activity. It's always been a security risk and entirely stupid of them to do.

 

[tpa-pr]

Well, the hits just keep on coming this year. I guess I'll go and turn that off in the BIOS too.

None of the happenings this year make me regret my build but boy am I unimpressed with multiple vendors.

 

[Ferrum Master]

Weird, why my Z590I VISION D is absent in the list.

 

[Aleksandar_038]

Oh great, so now after Asus, we have Shitabyte doing this trick too?

I cannot possibly fathom ANY reason mb manufacturers would use this... It is stupid and completely unnecessary.

Was there any info about BioStar, MSI and ASRock?

 

[Mussels]

Oh great, so now after Asus, we have Shitabyte doing this trick too?

I cannot possibly fathom ANY reason mb manufacturers would use this... It is stupid and completely unnecessary.

Was there any info about BioStar, MSI and ASRock?

This article was exclusively on gigabyte, I have no idea if they preinstall crapware too.

It's definitely something that needs to be stopped, as the security risk is massive and almost impossible to stop at the users end - hackers could take over the remote server and infect every new install from that point onwards, or use DNS hijacking and only target specific locations (Hijack the DNS at a location that does final testing for gigabyte laptops or prebuilts, and you could infect them all on first boot)

Something like VPN's are a way for that to work and a way to target victims, or those debloated cut down versions of windows would be a perfect way to abuse these backdoors. It'd only affect users on asus/gigabute with the feature enabled, but they could easily and simply hide a redirect and get access to thousands of systems for little effort - and the majority of tested machines would come back clean, letting them get away with it.

 

[Toothless]

This article was exclusively on gigabyte, I have no idea if they preinstall crapware too.

It's definitely something that needs to be stopped, as the security risk is massive and almost impossible to stop at the users end - hackers could take over the remote server and infect every new install from that point onwards, or use DNS hijacking and only target specific locations (Hijack the DNS at a location that does final testing for gigabyte laptops or prebuilts, and you could infect them all on first boot)

Something like VPN's are a way for that to work and a way to target victims, or those debloated cut down versions of windows would be a perfect way to abuse these backdoors. It'd only affect users on asus/gigabute with the feature enabled, but they could easily and simply hide a redirect and get access to thousands of systems for little effort - and the majority of tested machines would come back clean, letting them get away with it.

Fresh Windows install and Asus asks if you want to install Armory Crate. Did it yesterday on W11.

 

[Aleksandar_038]

This article was exclusively on gigabyte, I have no idea if they preinstall crapware too.

It's definitely something that needs to be stopped, as the security risk is massive and almost impossible to stop at the users end - hackers could take over the remote server and infect every new install from that point onwards, or use DNS hijacking and only target specific locations (Hijack the DNS at a location that does final testing for gigabyte laptops or prebuilts, and you could infect them all on first boot)

Something like VPN's are a way for that to work and a way to target victims, or those debloated cut down versions of windows would be a perfect way to abuse these backdoors. It'd only affect users on asus/gigabute with the feature enabled, but they could easily and simply hide a redirect and get access to thousands of systems for little effort - and the majority of tested machines would come back clean, letting them get away with it.

What I do not understand is what MB makers stand to gain from this stunt... Except obvious negative publicity, a lot of problems and potential problems... I do not understand.

 

[Mussels]

Fresh Windows install and Asus asks if you want to install Armory Crate. Did it yesterday on W11.

That's because you have the BIOS setting enabled

What I do not understand is what MB makers stand to gain from this stunt... Except obvious negative publicity, a lot of problems and potential problems... I do not understand.

While i normally tell people to stop claiming companies are spying on them, in this case they are spying on you.
They want you to install their software so they know what hardware you used, your rough geographical location and whatever other basic data they can legally collect.

That data is more valuable to some of them than the hardware sales, since it lets them cater their marketing and products to the next generation of buyers

 

[R0H1T]

Why the eff does this useless "feature" even exist

Also shouldn't Windows/third part AV's be able to block this?

 

[Mussels]

Why the eff does this useless "feature" even exist

Also shouldn't Windows/third part AV's be able to block this?

No idea
They could block it, but if a user consents it's not malware - the problem is this dumb feature can be too easily hijacked.

They should just put their apps on the microsoft store, but then they might have quality standards to uphold.

 

[JalleR]

Well if you Plugin a HP monitor to your system then HP "Omen" software will be installed on your system without you saying yes to it.....!!!!!, maybe i have missed a setting in M$ but one day it was just there.....!!!

 

[Calmmo]

Well, the hits just keep on coming this year. I guess I'll go and turn that off in the BIOS too.

None of the happenings this year make me regret my build but boy am I unimpressed with multiple vendors.

Pretty sure at this point all boards do that. Asus is the same with their spyware, at least it can be for now disabled.

 

[Bomby569]

They did made my windows pop up a notification to install the app center thing without me having any gigabyte software install and after a BIOS update, so it's clear to me the BIOS can run code inside windows, someone could easily make a fake BIOS on some website and run code. Apparently Asus does the same. I don't think this is that big of a newsflash

Idk if this is a common thing or just for Gigabyte but no one should have download BIOS from untrusted sources, but even without this warning i think it would still be unreasonable to download BIOS from places other then the manufacturers website and especially places you can't trust.

As to the app center i never used that sort of programs, but i don't see how it fetches compromised BIOS, the program itself had to be compromised. Again don't download from untrusted sources, but all this seems obvious.

Not sure what the real news is here.

 

[R0H1T]

Well if you Plugin a HP monitor to your system then HP "Omen" software will be installed on your system without you saying yes to it.....!!!!!, maybe i have missed a setting in M$ but one day it was just there.....!!!

But you can probably disable it though Windows, this here's the scary part ~

This Windows executable is embedded into UEFI firmware and written to disk by firmware as part of the system boot process, a technique commonly used by UEFI implants and backdoors. During the Driver Execution Environment (DXE) phase of the UEFI firmware boot process, the “WpbtDxe.efi” firmware module uses the above GUID to load the embedded Windows executable file into memory, installing it into a WPBT ACPI table which will later be loaded and executed by the Windows Session Manager Subsystem (smss.exe) upon Windows startup. The “WpbtDxe.efi” module checks if the “APP Center Download & Install” feature has been enabled in the BIOS/UEFI Setup before installing the executable into the WPBT ACPI table. Although this setting appears to be disabled by default, it was enabled on the system we examined.

I wonder if any "bad actor" modified or gained access to any of the BIOSes & served actual malware to unsuspecting users!

 

[Mussels]

They did made my windows pop up a notification to install the app center thing without me having any gigabyte software install and after a BIOS update, so it's clear to me the BIOS can run code inside windows, someone could easily make a fake BIOS on some website and run code. Apparently Asus does the same. I don't think this is that big of a newsflash

Idk if this is a common thing or just for Gigabyte but no one should have download BIOS from untrusted sources, but even without this warning i think it would still be unreasonable to download BIOS from places other then the manufacturers website and especially places you can't trust.

As to the app center i never used that sort of programs, but i don't see how it fetches compromised BIOS, the program itself had to be compromised. Again don't download from untrusted sources, but all this seems obvious.

Not sure what the real news is here.

Look at how many months went by with fake results for MSI afterburner giving people malware during the mining boom.

These boards point to unsecure web addresses and hacking those or redirecting traffic from them lets them install malware as if it was direct from asus or aorus. Users don't have to do a thing, and all their preloaded laptops and desktops would contain that software.

 

[P4-630]

I disabled that "app center" in bios.

Did that as well.

 

[Bomby569]

These boards point to unsecure web addresses and hacking those or redirecting traffic from them lets them install malware as if it was direct from asus or aorus. Users don't have to do a thing, and all their preloaded laptops and desktops would contain that software.

oh, ok i get it now.

 

[WonkoTheSaneUK]

Hmm. Looks like my X570S Aero G motherboard isn't vulnerable to this.
Besides, I run Linux 99.9% of the time anyway.

 

[TheoneandonlyMrK]

That's because you have the BIOS setting enabled


While i normally tell people to stop claiming companies are spying on them, in this case they are spying on you.
They want you to install their software so they know what hardware you used, your rough geographical location and whatever other basic data they can legally collect.

That data is more valuable to some of them than the hardware sales, since it lets them cater their marketing and products to the next generation of buyers

True , whilst tangential I noted recently that Asus adapted their support pages recently.

Not counting WiFi, Bluetooth and sound drivers which remain normally available.

It was previously possible to download part's of Asus software separate and individually, Now it is not you need to DL armoury crate to get board specific functions like RGB or AI assisted fast usb charging working.

But obviously in doing so you don't and never did just get what you want, that's impossible, it's all or nothing.

This needs to stop IMHO, it's clear and always was that these companies are less secure than they suggest and targeted significantly more than they expected.

As for Gigabyte they have been on my shit list for years now because I have used them a lot over the years mostly because that's what others wanted or all they could afford Ds3's tend to be cheapest.

 

[lemonadesoda]

Thanks for this news feature. Fk UEFI standards that has allowed code injection onto an OS. I hope some gvt or large corp gets compromised and they hsve the resources to bring down Thors hammer on gigabyte and UEFI protocols so this nefarious spy and code injection is legally banned.

 

[P4-630]

The new BIOS'es were out for download already.
Fixed.