It’s really irritating when you set up a new system and it begins downloading and installing the motherboard vendor’s software without your permission or prompting. This can happen with a lot of different motherboard vendors, but there are secure ways and insecure ways to go about it, and Gigabyte seems to have chosen poorly.
We say that because security platform Eclypsium announced that it had detected “backdoor-like behavior” in Gigabyte systems. The specific behavior is that affected motherboards run internet-connected Windows software dropped from the system firmware to then update said firmware from the internet. The software in question is all completely legitimate in theory, but of course that’s where all kinds of trouble starts.
Because the application runs in the background, invisibly, there’s no way for the user to be aware if the tool has been hijacked by a threat actor. Don’t be confused; there’s not necessarily any problem with your system if you have a Gigabyte motherboard. It’s just that the update tool—which can be disabled from the UEFI setup but is enabled by default—performs very little in the way of security or safety checking.
That means that this innocuous update tool could be downloading a compromised firmware update from anywhere. This kind of “man in the middle” attack is particularly problematic because it’s very sneaky and not obvious to the user. It’s also a huge problem once it’s happened, because it’s very difficult to root out such an exploit as it can simply redownload itself, and prevent the user from flashing a “clean” firmware. This exploit affects nearly all Gigabyte motherboards made in the last few years. You can check this list [PDF] from Eclypsium to see if your board is affected.
For its part, Gigabyte has already released beta BIOS updates for all of its Intel LGA 1700 and AMD Socket AM4 motherboards that are vulnerable to this exploit. The company says that it has “implemented stricter security checks” on the tools, including signature verification and privilege access limitations, both of which should help keep bad guys from getting into your firmware. Updates for other systems, including Intel 400/500-series and AMD’s Socket AM5 motherboards, should be available soon.