Gigabyte Motherboards Affected by Firmware Backdoor, Over 250 Models Impacted

Published by


This security vulnerability encompasses a wide range of models containing both Intel and AMD chipsets, inclusive of the newest Z790 and X670 units. The issue stems from a poorly secured updater program utilized by Gigabyte to maintain firmware currency.

Eclypsium, a cybersecurity research company, recently identified a firmware backdoor impacting 271 Gigabyte motherboard models. During a fresh Windows installation, users might encounter a program suggesting a download of the latest driver or firmware. Regrettably, this seemingly harmless program can potentially serve as a conduit for malevolent entities.

Upon each system restart, firmware-embedded code activates an updater program, connecting to the internet to search and download the newest motherboard firmware. According to Eclypsium, Gigabyte's approach to this updater program lacks the requisite security, offering a potential entry point for malicious software installations on susceptible systems. The complexity arises from the fact that this updater is ingrained in the motherboard's firmware, hence posing a challenge for consumer elimination.

The usage of such updater programs is not exclusive to Gigabyte, as other motherboard manufacturers incorporate similar methodologies, bringing into question the overall security of these systems. Asus' Armoury Crate software, for instance, operates similarly to Gigabyte's App Center. Eclypsium's analysis shows that Gigabyte's updater connects with three distinct sites for firmware updates:

The cybersecurity firm established that Gigabyte's updater downloads code to the user's system devoid of proper authentication, lacking cryptographic digital signature confirmation or alternative validation procedures. As a result, both HTTP and HTTPS connections remain vulnerable to Machine-in-the-Middle (MITM) attacks, with HTTP connections being especially susceptible. Additionally, beyond its online connections, the updater was found to download firmware updates from a local network's NAS device, creating potential for a harmful actor to impersonate the NAS and infect the user's system with spyware.

The updater comes as a standard tool in Gigabyte motherboards. Eclypsium has provided an extensive list of the impacted models, which consists of 271 motherboards from both Intel and AMD chipsets. These models span from older AMD 400-series chipsets to the most recent Intel 700-series and AMD 600-series motherboards, which are also affected by this issue.

Eclypsium has communicated its findings to Gigabyte, and the company is actively seeking a resolution to this issue, likely to be implemented via a firmware update. While this is being addressed, Gigabyte motherboard owners can take precautionary steps to safeguard their systems.

It is advisable, as per Eclypsium, to disable the "APP Center Download & Install" feature within the motherboard's firmware to deactivate the updater. Additionally, users can implement a BIOS-level password as a protective measure against unauthorized and harmful activities. Lastly, users can block the three aforementioned sites that the updater connects with

Gigabyte Motherboards Affected by Firmware Backdoor, Over 250 Models Impacted

Share this content
Twitter Facebook Reddit WhatsApp Email Print