Plenty of Gigabyte motherboards have UEFI backdoors!

[Mussels]

Disabling it completely negates the vulnerability anyways.

Only if its done before the OS is first booted up, and that cant be done on their OEM Desktop and laptop systems
One malicious operator in a factory can change a single setting and mass-infect many systems at once, or slowly infect only some and no one would know.

 

[Bomby569]

Only if its done before the OS is first booted up, and that cant be done on their OEM Desktop and laptop systems
One malicious operator in a factory can change a single setting and mass-infect many systems at once, or slowly infect only some and no one would know.

One malicious operator in a factory would not need to go that route if he wanted to mass infect the systems, in Gigabyte or any other manufacturer.
Changing the setting by itself doesn't infect the system
Your assuming they have access to either the BIOS and/or OS code.
If they change the setting and ALSO do something else to infect the system, the vulnerability is irrelevant.

 

[R-T-B]

Only if its done before the OS is first booted up,

Or you trust your ISP you connect via, honestly. How many are builing their PC using a public hotspot that happens to be infected dns-wise?

This whole thing is a vulnerability, but not as big as many make it out to be.

 

[chrcoluk]

Option on new asrock board auto driver updates, turned it off.

 

[eidairaman1]

Option on new asrock board auto driver updates, turned it off.

I will have to check for that on the b550

 

[LabRat 891]

Forced migration to Secure Boot and TPM, in the name of security?
Yet, these msft-facilitated 'holes', "exist".

As a matter of 'observed consequence(s)', I don't think anyone can deny at this point:

"It's never been about security; it's always been about control"

 

[A Computer Guy]

Forced migration to Secure Boot and TPM, in the name of security?
Yet, these msft-facilitated 'holes', "exist".

As a matter of 'observed consequence(s)', I don't think anyone can deny at this point:

"It's never been about security; it's always been about control"

Unfortunately this seems to be a pattern amongst varying levels of authority. Let's hope we continue to have choices in the future between running Microsoft and Linux (and others) on consumer hardware.

Option on new asrock board auto driver updates, turned it off.

I think I saw this on an ASRock motherboard for AM4 but I can't recall which one. I will have to go through the ones I have and report back here just as an FYI.

 

[R-T-B]

Forced migration to Secure Boot and TPM, in the name of security?
Yet, these msft-facilitated 'holes', "exist".

These facilities (UEFI Preload and secure boot/TPM) are honestly completely distinct from each other. In other words they are as related as an orange and well ... a brick. And furthermore, attempting to tie this hole to MS is quite a stretch bordering on complete paranoia.

 

[A Computer Guy]

ASRock has something that seems similar in UEFI/BIOS of their DeskMini X300 called "Auto Driver Installer".

ASRock DeskMini X300 Series

AMD AM4 Socket CPU, - Cezanne, Renoir, Picasso, Raven Ridge, up to 65W, - Support MAX Height ≦ 46mm CPU Cooler<br />Supports Overclocking Option with X300<br />High-Speed DDR4-3200MHz Memory<br />Dual Ultra M.2 (NVMe), - M2_1 M.2 (2280) – PCIe Gen3 x4, - M2_2 M.2 (2280) – PCIe Gen3 x2/x4<br />2...

www.asrock.com

It's in their current BIOS 1.80A

I remember fiddling with it and it installed something when I was doing a test install.
When I was ready to do a real install on that system I wasn't sure what it was installing so I opted to turn it off.

(edit)

I updated to 1.80F and it seems ASRock enables the "Auto Driver Installer" option by default.

 

[eidairaman1]

Forced migration to Secure Boot and TPM, in the name of security?
Yet, these msft-facilitated 'holes', "exist".

As a matter of 'observed consequence(s)', I don't think anyone can deny at this point:

"It's never been about security; it's always been about control"

Lsass.exe was a backdoor in XP

 

[Waldorf]

glad i switched to MSI on my current board.

for the past 10y i havent seen a Gb board making more sense than what others offered, as they always had "less" in the same price range,
so i never used them for any builds, short of some "for 1$" sale (with cpu).
only cause of a big discount (200 vs 300$) did i get the X570 Ultra, suffering BLCK above 100.00/Voltages up to 0.05 higher (when using AMP),
or that using ErP, would disable wifi/BT (short of recovery flash after removing cmos batt over night.

now i have 3 more fan ports, all V's are where they should be (even when using AMP), no wifi (so i can update without bios doing anything online), no rgb either.

then again, i never leave anything "stock", when it comes to settings.

 

[Mussels]

Or you trust your ISP you connect via, honestly. How many are builing their PC using a public hotspot that happens to be infected dns-wise?

This whole thing is a vulnerability, but not as big as many make it out to be.

You don't seem to understand - you can be on a trusted connection, and the DNS can still be re-routed elsewhere.
With plain HTTP, ANY router between you and that final destination can redirect that traffic

You'd need to be running DoH, DoT or DNS over QUIC to prevent this being a security issue and I can absolutely guarantee no affected by this is because it's not enabled out of the box in windows.


You (In the general sense, not you specifically) can argue however you like that YOU change things and YOU do this and you do that... no, you do that AFTER you install windows - not when these rootkits activate at first boot.

Lsass.exe was a backdoor in XP

Local Security Authority Subsystem Service

It was used to verify users and passwords - i'm not sure where you've managed to pull that from
Local Security Authority Subsystem Service - Wikipedia

ASRock has something that seems similar in UEFI/BIOS of their DeskMini X300 called "Auto Driver Installer".

ASRock DeskMini X300 Series

AMD AM4 Socket CPU, - Cezanne, Renoir, Picasso, Raven Ridge, up to 65W, - Support MAX Height ≦ 46mm CPU Cooler<br />Supports Overclocking Option with X300<br />High-Speed DDR4-3200MHz Memory<br />Dual Ultra M.2 (NVMe), - M2_1 M.2 (2280) – PCIe Gen3 x4, - M2_2 M.2 (2280) – PCIe Gen3 x2/x4<br />2...

www.asrock.com

It's in their current BIOS 1.80A

View attachment 299505

I remember fiddling with it and it installed something when I was doing a test install.
When I was ready to do a real install on that system I wasn't sure what it was installing so I opted to turn it off.

(edit)

I updated to 1.80F and it seems ASRock enables the "Auto Driver Installer" option by default.

Crap, asrock have added it too then

The big problem is how they use it - Giga was verified to use plain HTTP with no verification that the software was legit, and giving whatever was at the other end admin rights
We need people to sniff the traffic for all the brands and do detailed testing, but i'm surprised at how few people understand how network traffic works... it's not you->destination, and without encryption and security there can be dozens of hops along the way that can redirect your traffic invisibly becase that's how the internet works in the first place

Plain HTTP traffic over unencrypted DNS to an open to the public webserver with no login credentials, that runs any code they want with no security checks... yes sure, smart.

 

[R-T-B]

You don't seem to understand - you can be on a trusted connection, and the DNS can still be re-routed elsewhere.
With plain HTTP, ANY router between you and that final destination can redirect that traffic

DNSSEC would like a word with you. Nearly every isp and third party dns server has this implemented today.

And while what you are talking about is possible in theory, I can count on exactly one finger the amount of times I've dealt with it in the real world. (And the guy was a high value client with a compromised cable node).

We need people to sniff the traffic for all the brands and do detailed testing

Ironic, as encryption will stop that dead in its tracks.

 

[Waldorf]

@rtb
and statistically we can operate nuclear power plants for 1M years before a catastrophic meltdown,
yet Chernobyl happened after how many years?
so thats also just one finger counted...
sarcasm mode: off

never say "never" (or rare)...

 

[R-T-B]

@rtb
and statistically we can operate nuclear power plants for 1M years before a catastrophic meltdown,
yet Chernobyl happened after how many years?
so thats also just one finger counted...
sarcasm mode: off

never say "never" (or rare)...

I mean of course there'll be a couple dumb enough or with a bad enough ISP for this to be a legit issue, but like the nuclear plants, we aren't talking very large numbers. And unlike the nuclear issue, I'm not losing sleep over it.

 

[LabRat 891]

These facilities (UEFI Preload and secure boot/TPM) are honestly completely distinct from each other. In other words they are as related as an orange and well ... a brick. And furthermore, attempting to tie this hole to MS is quite a stretch bordering on complete paranoia.

Doesn't matter that they're distinct technologies, my post said that Msft facilitated and pushed migration to these 'new, secure' "technologies".
Which, are proving to be not secure at all.

Apples and Oranges may be different, but rot is rot; it doesn't much care for what all is in one's basket.

The entire scheme is rotten, and companies wanting more data on/from more captive customers, is nothing new.
Literally, The Internet Economy runs on this concept.

Furthermore,
How can anyone unironically use accusations of paranoia these days?
Ones' gotta have some Prescription Strength Blinders on not to see: most of the world is not, and has not been 'as it seems'.

Lsass.exe was a backdoor in XP

Fugg. THAT.

That was (related to) the very first piece of 'real malware' I ever had to deal with.
-Was a kid sitting on the phone w/ HP trying to get my desktop to stop rebooting because of LSASS.EXE being exploited.

 

[R-T-B]

Doesn't matter that they're distinct technologies, my post said that Msft facilitated and pushed migration to these 'new, secure' "technologies".

It literally does because those technologies have zero to do with this threads subject vulnerability.

I'll agree with you that hardware security is silly and stupid, it just has nothing to do with this particular stupid. If you want to blame someone for lobbying for UEFI preload, I'd be looking at Lenovo long and hard well before Microsoft.

 

[lemonadesoda]

Love the idea of UEFI preload in AI robots and military infrastructure. Seriously, this is worse than MS internet explorer built in and default in Windows. We are going to need regulation to ban this sht. UEFI consortium should be sued then fined

 

[R-T-B]

Love the idea of UEFI preload in AI robots and military infrastructure.

It's actually been an issue for nearly a decade, just mostly new to the DIY PC space. Lenovo was a pioneer in shipping bad shit via UEFI preloads. They've actually been caught literally shipping malware via it in the past.

Government avoids it mostly by not ordering off the shelf parts.

 

[Mussels]

DNSSEC would like a word with you. Nearly every isp and third party dns server has this implemented today.

And while what you are talking about is possible in theory, I can count on exactly one finger the amount of times I've dealt with it in the real world. (And the guy was a high value client with a compromised cable node).


Ironic, as encryption will stop that dead in its tracks.

Google/Nest routers?
Reroutes all DNS traffic on you without user knowledge to a hardcoded 8.8.8.8, bypassing and breaking a lot of networks (anything with a login page for credentials, for example)
my Telstra gateways have a redirect like this if they think you're offline, redirecting traffic to the routers settings page. These sort of redirects and hijacks are incredibly common, which means it's also possible to change where they redirect to.

Remember that in the world of automated hacking and botnets, it's entirely possible to run something like this and passively install to millions of machines before being detected - hardware flaws like hardcoded IP addresses just give an easy attack vector that requires no effort and just waiting to see what machines fall into the trap


Do i think this is GOING to happen? no.
Do i think companies need to stop making it easy for the hackers? Yes. ASUS, MSI and Gigabyte all now have done this, with giga just being dumbasses of the worst kind with hardcoded HTTP addresses.

 

[R-T-B]

Google/Nest routers?
Reroutes all DNS traffic on you without user knowledge to a hardcoded 8.8.8.8

Which is DNSSEC enabled...

Do i think companies need to stop making it easy for the hackers? Yes. ASUS, MSI and Gigabyte all now have done this, with giga just being dumbasses of the worst kind with hardcoded HTTP addresses.

No disagreement there. We just need to balance our panic against actual severity.