hide malware The code deep within a computer’s UEFI firmware that tells a PC how to load its operating system has become an insidious trick in the toolkit of stealthy hackers. But when motherboard makers install their own hidden backdoor in the firmware of millions of computers — without even properly locking that hidden backdoor — they’re effectively doing the hacker’s work for them.
Researchers at firmware-focused cybersecurity firm Eclypsium revealed today that they discovered a hidden mechanism in the firmware of motherboards sold by Taiwanese manufacturer Gigabyte, a component commonly used in gaming PCs and other high-performance computers. Eclypsium found that whenever a computer with an affected Gigabyte motherboard is restarted, code in the motherboard’s firmware invisibly launches an update program that runs on the computer, which then downloads and executes another piece of software.
While Eclypsium says the hidden code is a harmless tool that keeps motherboard firmware updated, the researchers found that its implementation was insecure, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte’s intended program. And because the updater is triggered by the computer’s firmware, outside of its operating system, it’s difficult for users to remove or even discover it.
“If you own one of these machines, you have to worry about the fact that it’s basically grabbing something from the internet and running it without your involvement, and not doing any of that securely, said John Loucaides, Head of Strategy. and Eclypsium research. “The concept of reaching under the end user and taking over their machine is not for most people.”
In its blog post about the research, Eclypsium listed 271 Gigabyte motherboard models that the researchers said were affected. Users who want to see what motherboard their computer uses can do so by going to Start in Windows, then System Information, Loucaides added.
Eclypsium said it discovered Gigabyte’s hidden firmware mechanism, an increasingly common tool employed by sophisticated hackers, while searching customers’ computers for malicious firmware-based code. For example, in 2018, hackers working on behalf of Russia’s GRU military intelligence agency were caught quietly installing firmware-based anti-theft software LoJack on victims’ machines as an espionage tactic. Two years later, Chinese state-sponsored hackers were found to be repurposing firmware-based spyware tools created by hacker-for-hire firm Hacking Team to target the computers of diplomats and NGO workers in Africa, Asia and Europe. Eclypsium researchers were surprised to find that their auto-detection scan flags Gigabyte’s updater mechanism to perform some of the same shady behavior as those state-sponsored hacking tools — hiding in firmware and silently installing programs that download code from the Internet.
Gigabyte’s update program alone may raise concerns among users who don’t trust Gigabyte to use a nearly invisible tool to quietly install code on their machines, or that Gigabyte’s mechanism could be exploited by hackers who compromise motherboard manufacturers to exploit Its hidden access software supply chain attacks. But Eclypsium also found glaring flaws in the implementation of the update mechanism that could allow it to be hijacked: it downloads code to the user’s machine without proper authentication, sometimes over an unprotected HTTP connection instead of HTTPS. This would allow the installation source to be spoofed by a man-in-the-middle attack, where anyone can intercept a user’s Internet connection, such as a rogue Wi-Fi network.
