Eclypsium, a company specializing in firmware and hardware security, has unearthed that hundreds of motherboard models manufactured by Gigabyte, the Taiwanese computer components titan, encompass a backdoor functionality, presenting a substantial threat to organizations.
The backdoor was identified by Eclypsium, with behaviors associated with the functionality triggering a warning on the company’s platform.
Specifically, the researchers found that the firmware on many Gigabyte systems deploys a Windows binary that is activated upon the operating system’s boot-up. The deployed file subsequently downloads and operates another payload retrieved from Gigabyte servers.
The payload is fetched over an unsecured connection – either HTTP or incorrectly configured HTTPS — and the file’s authenticity is not confirmed.
No evidence suggests that the backdoor has been exploited for malicious intents, and the feature seems to be linked to the Gigabyte App Center, as documented on the company’s website.
However, Eclypsium pointed out it’s challenging to definitively exclude the possibility that it is a malicious backdoor instigated from within Gigabyte — either by a rogue insider or due to the company’s systems being breached. It’s equally difficult to conclusively dismiss that the backdoor was installed somewhere along the supply chain.
UEFI rootkits have frequently been utilized to guarantee that Windows malware can endure on a breached system and this backdoor could aid that purpose. Moreover, these firmware backdoors can be hard to eliminate.
Eclypsium also cautioned that hackers could exploit the insecure connection between the system and Gigabyte servers to substitute the payload through a man-in-the-middle (MitM) attack.
Eclypsium has released a list of over 270 impacted motherboard models — this implies that likely millions of devices harbor the backdoor. The company stated it has been collaborating with Gigabyte to rectify the issue, which will probably necessitate a firmware update.