Backdoor Feature Found in Hundreds of Gigabyte Motherboards, Warns Cybersecurity Experts

Backdoor Feature Found in Hundreds of Gigabyte Motherboards Poses a Significant Supply Chain Risk

Recently, hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include a backdoor functionality that could pose a significant supply chain risk to organizations. The backdoor was discovered based on behavior associated with the functionality, which triggered an alert in the company’s platform. The firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers over an insecure connection (HTTP or improperly configured HTTPS), and the file’s legitimacy is not verified.

A Supply Chain Risk and a Threat to Organizations

The presence of this backdoor feature in hundreds of Gigabyte motherboards poses a significant threat to organizations. Although there is no evidence that the feature has been leveraged for malicious purposes and it appears related to the Gigabyte App Center documented on the company’s website, it remains difficult to conclusively rule out that this is not a malicious backdoor planted from within Gigabyte, either by a malicious insider or as a result of the company’s systems being compromised. Moreover, the firm warned that it could end up being abused by threat actors, and it’s not uncommon for skilled hackers to take advantage of such tools in their attacks. Additionally, UEFI rootkits have been used in many cases to ensure that Windows malware can persist on a compromised system, and this backdoor can be useful for that purpose.

The Risk to Data Privacy and the Difficulty of Removing Firmware Backdoors

The immediate risk concerns data privacy, and the possibility of such backdoors being used for surveillance or other nefarious purposes by malicious actors. The second risk concerns a difficulty in removing firmware backdoors. Once a firmware backdoor is installed, it can be extremely challenging, if not impossible, to remove. For instance, it requires deep knowledge of the underlying hardware and firmware, and even then, removal of the backdoor can destabilize the system, rendering it even more vulnerable.

Eclypsium’s List of Affected Motherboard Models and Necessary Actions to Be Taken

Eclypsium has published a list of more than 270 affected motherboard models, indicating that millions of devices likely have the backdoor. While working with Gigabyte, it was determined that the issue would likely require a firmware update. Organizations should focus on securing their Gigabyte motherboards and other hardware using endpoint security measures such as firewalls and updating their firmware regularly. It is also recommended that organizations deploy a solution for supply chain security and verify the firmware they want to use beforehand, test it, and only then provision it onto their devices.

Conclusion

The discovery of this backdoor feature in hundreds of Gigabyte motherboards serves as a reminder of the importance of supply chain security. The fact that the origin of the vulnerability, and therefore the risk, is the firmware of a major hardware manufacturer only amplifies the urgency of the situation. Proper steps, such as deploying endpoint security measures, bring your own device (BYOD) security practices, and investing in supply chain security, will go a long way to enhance security and reduce the risks.