https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/ Skip to main content Open Navigation Menu To revist this article, visit My Profile, then View saved stories. Close Alert WIRED Millions of PC Motherboards Were Sold With a Firmware Backdoor * Backchannel * Business * Culture * Gear * Ideas * Science * Security More To revist this article, visit My Profile, then View saved stories. Close Alert Sign In Search * Backchannel * Business * Culture * Gear * Ideas * Science * Security * Podcasts * Video * Artificial Intelligence * Climate * Games * Newsletters * Magazine * Events * Wired Insider * Jobs * Coupons Stairs leading up to an open door in a wall with yellow glowing digital binary code Illustration: BeeBright/Getty Images Andy Greenberg Security May 31, 2023 9:00 AM Millions of PC Motherboards Were Sold With a Firmware Backdoor Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs--a feature ripe for abuse, researchers say. * * * * * * * * Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers--and doesn't even put a proper lock on that hidden back entrance--they're practically doing hackers' work for them. Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software. While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover. "If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people." In its blog post about the research, Eclypsium lists 271 models of Gigabyte motherboards that researchers say are affected. Loucaides adds that users who want to see which motherboard their computer uses can check by going to "Start" in Windows and then "System Information." Eclypsium says it found Gigabyte's hidden firmware mechanism while scouring customers' computers for firmware-based malicious code, an increasingly common tool employed by sophisticated hackers. In 2018, for instance, hackers working on behalf of Russia's GRU military intelligence agency were discovered silently installing the firmware-based anti-theft software LoJack on victims' machines as a spying tactic. Chinese state-sponsored hackers were spotted two years later repurposing a firmware-based spyware tool created by the hacker-for-hire firm Hacking Team to target the computers of diplomats and NGO staff in Africa, Asia, and Europe. Eclypsium's researchers were surprised to see their automated detection scans flag Gigabyte's updater mechanism for carrying out some of the same shady behavior as those state-sponsored hacking tools--hiding in firmware and silently installing a program that downloads code from the internet. Gigabyte's updater alone might have raised concerns for users who don't trust Gigabyte to silently install code on their machine with a nearly invisible tool--or who worry that Gigabyte's mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. But Eclypsium also found that the update mechanism was implemented with glaring vulnerabilities that could allow it to be hijacked: It downloads code to the user's machine without properly authenticating it, sometimes even over an unprotected HTTP connection, rather than HTTPS. This would allow the installation source to be spoofed by a man-in-the-middle attack carried out by anyone who can intercept the user's internet connection, such as a rogue Wi-Fi network. Most Popular * Sima Sistani on a terrace overlooking NYC standing next to a sign that reads OFFICE with an arrow underneath. Backchannel It's the Age of Ozempic. Do We Need Weight Watchers Anymore? Lauren Goode * [undefined] Gear The Best Nintendo Switch Games for Every Kind of Player WIRED Staff * red dot surrounded by blue texture Business Runaway AI Is an Extinction Risk, Experts Warn Will Knight * [undefined] Ideas Scientists Gave People Psychedelics--and Then Erased Their Memory Shayla Love * In other cases, the updater installed by the mechanism in Gigabyte's firmware is configured to be downloaded from a local network-attached storage device (NAS), a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. But Eclypsium warns that in those cases, a malicious actor on the same network could spoof the location of the NAS to invisibly install their own malware instead. Eclypsium says it has been working with Gigabyte to disclose its findings to the motherboard manufacturer, and that Gigabyte has said it plans to fix the issues. Gigabyte did not respond to WIRED's multiple requests for comment regarding Eclypsium's findings. Even if Gigabyte does push out a fix for its firmware issue--after all, the problem stems from a Gigabyte tool intended to automate firmware updates--Eclypsium's Loucaides points out that firmware updates often silently abort on users' machines, in many cases due to their complexity and the difficulty of matching firmware and hardware. "I still think this will end up being a fairly pervasive problem on Gigabyte boards for years to come," Loucaides says. Given the millions of potentially affected devices, Eclypsium's discovery is "troubling," says Rich Smith, who is the chief security officer of supply-chain-focused cybersecurity startup Crash Override. Smith has published research on firmware vulnerabilities and reviewed Eclypsium's findings. He compares the situation to the Sony rootkit scandal of the mid-2000s. Sony had hidden digital-rights-management code on CDs that invisibly installed itself on users' computers and in doing so created a vulnerability that hackers used to hide their malware. "You can use techniques that have traditionally been used by malicious actors, but that wasn't acceptable, it crossed the line," Smith says. "I can't speak to why Gigabyte chose this method to deliver their software. But for me, this feels like it crosses a similar line in the firmware space." Smith acknowledges that Gigabyte probably had no malicious or deceptive intent in its hidden firmware tool. But by leaving security vulnerabilities in the invisible code that lies beneath the operating system of so many computers, it nonetheless erodes a fundamental layer of trust users have in their machines. "There's no intent here, just sloppiness. But I don't want anyone writing my firmware who's sloppy," says Smith. "If you don't have trust in your firmware, you're building your house on sand." Get More From WIRED * Get the best stories from WIRED's iconic archive in your inbox * Our new podcast wants you to Have a Nice Future * Pete Buttigieg loves God, beer, and his electric Mustang * Generative AI podcasts are here. Prepare to be bored * I'm dependent on my phone--and I've never slept better * The looming El Nino could cost trillions of dollars globally * I bought a ChatGPT Plus subscription--and it's worth it * [?] Embrace the new season with the Gear team's best picks for best tents, umbrellas, and robot vacuums [undefined] Andy Greenberg is a senior writer for WIRED, covering hacking, cybersecurity and surveillance. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His last book was *[Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most... Read more Senior Writer * Topicssecuritymalwarevulnerabilitieshacking More from WIRED Illustration showing multiple windows along with security icons and refresh icons. Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks Plus: Microsoft patches two zero-day flaws, Google's Android and Chrome get some much-needed updates, and more. Kate O'Flaherty 3D illustration of a password box with four red asterisks and one underscore character A Popular Password Hashing Algorithm Starts Its Long Goodbye The coinventor of "bcrypt" is reflecting on the ubiquitous function's 25 years and channeling cybersecurity's core themes into electronic dance music. Lily Hay Newman Surreal hole that leads to blackness surrounded by red walls The Security Hole at the Heart of ChatGPT and Bing Indirect prompt-injection attacks can leave people vulnerable to scams and data theft when they use the AI chatbots. Matt Burgess [undefined] Meta Is Trying to Push Attackers to the Brink The company is adding new tools as bad actors use ChatGPT-themed lures and mask their infrastructure in an attempt to trick victims and elude defenders. Lily Hay Newman Silhouetted person walks behind a glass window that has computer code inscribed on it A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks Kaspersky researchers have uncovered clues that further illuminate the hackers' activities, which appear to have begun far earlier than originally believed. Lily Hay Newman Isolated black snake on red backdrop The Underground History of Russia's Most Ingenious Hacker Group From USB worms to satellite-based hacking, Russia's FSB hackers, known as Turla, have spent 25 years distinguishing themselves as "adversary number one." Andy Greenberg Group of antenna towers against a dramatic sky China Hacks US Critical Networks in Guam, Raising Cyberwar Fears Researchers say the state-sponsored espionage operation may also lay the groundwork for disruptive cyberattacks. Andy Greenberg [undefined] The Untold Story of the Boldest Supply-Chain Hack Ever The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation. Kim Zetter WIRED WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives--from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries. * * * * * * More From WIRED * Subscribe * Newsletters * FAQ * Wired Staff * Press Center * Coupons * Editorial Standards * Black Friday * Archive Contact * Advertise * Contact Us * Customer Care * Jobs * RSS * Accessibility Help * Conde Nast Store * Conde Nast Spotlight * Do Not Sell My Personal Info (c) 2023 Conde Nast. All rights reserved. Use of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Your California Privacy Rights. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices Select international siteUnited States * UK * Italia * Japon