Eclypsium researchers have discovered a vulnerability in Gigabyte motherboards that could potentially open up a backdoor for cybercriminals. The issue stems from a component in the Gigabyte APP Center ecosystem, called GigabyteUpdateService.exe, which automatically downloads and installs other Gigabyte components, including drivers, apps, and BIOS firmware. The problem is that the service fetches software from three hard-wired URLs without cryptographic integrity protection, leaving it vulnerable to manipulation by a man-in-the-middle (MitM) attack. Additionally, the update utility does not verify HTTPS certificates, making it possible for MitM attackers to present a fake certificate and vouch for it themselves. Furthermore, the downloaded files are not cryptographically validated to ensure they come from Gigabyte, potentially allowing cybercriminals to inject malware or replace the files with other software altogether.
The issue is made more complicated by the fact that Gigabyte uses a Windows feature called WPBT (Windows Platform Binary Table) to inject the GigabyteUpdateService program into the System32 directory directly out of the BIOS, even if the C drive is encrypted with Bitlocker. WPBT enables firmware makers to store a Windows executable file in their BIOS images, load it into memory during the firmware pre-boot process, and then tell Windows to run it early in the startup process. However, the WPBT native-mode code contains an embedded .NET application that it “drops” into the System32 directory to be launched later on in the Windows bootup process. This means that the firmware has a specific version of GigabyteUpdateService.exe baked into it, which users will continue to get unless they update their firmware.
While the vulnerability is not a backdoor in the usual sense, it is still a legitimate feature that has been badly implemented. It leaves affected computers potentially vulnerable to abuse by cybercriminals, much like a little-known window round the back of a building that has been forgetfully left unlatched. However, the vulnerability is an opt-in feature that can be disabled in the BIOS setup by turning off the APP Center Download & Install option. Alternatively, users can use endpoint security software or a corporate network firewall to block access to the three URL slugs that are wired into the insecure update service.
In conclusion, while the vulnerability in Gigabyte motherboards is not a traditional backdoor, it is still a significant security issue that could enable cybercriminals to access and manipulate a system. The vulnerability stems from a poorly implemented legitimate feature, which automatically downloads and installs other Gigabyte components. The vulnerability is opt-in and can be disabled in the BIOS setup, or users can use endpoint security software or a corporate network firewall to block access to the three URL slugs that are wired into the insecure update service. It is important for users to take action to secure their systems and prevent cybercriminals from exploiting this vulnerability.