Gigabyte shipped millions of motherboards with a dangerous firmware backdoor

According to cybersecurity experts from Eclypsium, computer hardware manufacturer Gigabyte installed a backdoor in the firmware of its motherboards, putting 271 motherboard models at risk of being hacked. The lengthy list of affected models features nearly every motherboard Gigabyte has put out in recent years, including the latest Z790 and X670 units.

As Eclypsium’s blog explains, Gigabyte embedded a Windows executable into the firmware of its motherboards that runs when the computer boots up. In other words, every time you reboot your computer, code in the motherboard’s firmware initiates Gigabyte’s app center, which downloads and runs an executable payload from the internet.

“The firmware does not implement any cryptographic digital signature verification or any other validation over the executables,” Eclypsium warns. “The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use […] As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM (machine-in-the-middle attacks) or compromised infrastructure.”

If you aren’t sure which motherboard your PC has, you can check by going to Start > Windows Tools > System Information. Look for “BaseBoard Manufacturer” and “BaseBoard Product.” If the product you see is on the list, you might want to take action.

Here are a few recommendations from Eclypsium to minimize risk:

• Scan and monitor systems and firmware updates in order to detect affected Gigabyte systems and the backdoor-like tools embedded in firmware. Update systems to the latest validated firmware and software in order to address security issues like this one.
• Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
• Administrators can also block the following URLs:

Eclypsium is currently working with Gigabyte to address this backdoor implementation.

According to cybersecurity experts from Eclypsium, computer hardware manufacturer Gigabyte installed a backdoor in the firmware of its motherboards, putting 271 motherboard models at risk of being hacked. The lengthy list of affected models features nearly every motherboard Gigabyte has put out in recent years, including the latest Z790 and X670 units.

As Eclypsium’s blog explains, Gigabyte embedded a Windows executable into the firmware of its motherboards that runs when the computer boots up. In other words, every time you reboot your computer, code in the motherboard’s firmware initiates Gigabyte’s app center, which downloads and runs an executable payload from the internet.

“The firmware does not implement any cryptographic digital signature verification or any other validation over the executables,” Eclypsium warns. “The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use […] As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM (machine-in-the-middle attacks) or compromised infrastructure.”

If you aren’t sure which motherboard your PC has, you can check by going to Start > Windows Tools > System Information. Look for “BaseBoard Manufacturer” and “BaseBoard Product.” If the product you see is on the list, you might want to take action.

Here are a few recommendations from Eclypsium to minimize risk:

• Scan and monitor systems and firmware updates in order to detect affected Gigabyte systems and the backdoor-like tools embedded in firmware. Update systems to the latest validated firmware and software in order to address security issues like this one.
• Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
• Administrators can also block the following URLs:

Eclypsium is currently working with Gigabyte to address this backdoor implementation.