Millions of motherboards built by Gigabyte were shipped out with a firmware backdoor that could have been abused to drop malware to the devices, experts have warned.
In a blog post, security firm Eclypsium said that it recently spotted “backdoor-like behavior within Gigabyte systems in the wild.”
Further analysis discovered that Gigabyte motherboards, a total of 271 different models, carried a hidden mechanism that quietly runs an updater program, which connects to a remote server, downloads, and then executes, software. While it might sound suspicious at best, but most likely malicious, Eclypsium says the updater’s goal is a lot more benign: to keep the motherboard’s firmware up to date.
Missing proper authentication
Be that as it may, the researchers found that the updater is implemented insecurely, allowing threat actors to hijack the updater and use it for their own nefarious purposes. Apparently, the updater downloads code without proper authentication, in some cases even over an HTTP connection (as opposed to HTTPS). This would make man-in-the-middle attacks on rogue Wi-Fi networks a possibility, allowing potential threat actors to spoof the installation source and drop malware.
It’s important to note that the updater works from the firmware, and as such is immune to antivirus programs, endpoint security solutions, and similar.
So far, Gigabyte has been relatively quiet on the matter. Eclypsium says it’s now working with the manufacturer on a fix, and other than that, the Taiwanese giant did not want to answer any questions, Wired reports.
The fix would most likely include a firmware update which would need to be pushed to millions of potentially affected devices. Gigabyte will also need to find a better way to deliver firmware updates to its hardware.