Researchers discover unpatched backdoor in 271 Gigabyte motherboards

Researchers from security firm Eclypsium have discovered a backdoor in hundreds of Gigabyte motherboard models. This allows malicious parties to download malware largely unseen. The problem has not yet been solved, the researchers say.

The researchers discovered that the motherboard’s UEFI firmware releases a Windows binary into the PC and then executes it during the operating system boot. That .net file then downloads and executes another payload that comes from the Gigabyte servers. This is done automatically to install Gigabyte App Center, a motherboard control center that can install and update drivers, firmware and applications. The way it happens according to the researchers however, in an unsafe manner.

The payload is retrieved via an unsafe HTTP or an incorrectly configured HTTP connection. The file is also not validated at all before it is downloaded. This makes it relatively easy to carry out a man-in-the-middle attack by malicious parties, who can in this way almost invisibly infect victims’ computers with malware, says the Eclypsium research team.

The backdoor does not appear to have been abused yet, although the researchers warn that this is still possible. The leak has not yet been closed, but the security company says it is in discussions with Gigabyte. According to the blog post, the latter plans to resolve the problem quickly.

Eclypsium reports 271 motherboard models that use this backdoor. So there may be millions of motherboards with this vulnerability. The company has all motherboards with this backdoor in one pdf overview placed. Users who own such a motherboard are recommended to temporarily disable the APP Center Download & Install function in the motherboard’s BIOS UEFI and set a BIOS password so that the function cannot be automatically enabled again.