Experts from firmware and hardware security company Eclypsium have reported that hundreds of Gigabyte motherboard models contain a backdoor that could potentially pose a significant risk to organizations. The researchers determined that the firmware of these motherboards contains a Windows binary that is executed when the operating system boots. This file then downloads and launches another payload received from the Gigabyte servers via an insecure connection (HTTP or incorrectly configured HTTPS) without any legitimacy checks.
Although there is no evidence that this backdoor was used for malicious purposes, it is difficult to completely rule out the possibility that it was introduced into the firmware either through the efforts of intruders or as a result of hacking the company’s systems. Even if this is legitimate functionality, experts warn that it can still be exploited by attackers, and hackers often use such tools in their attacks. Furthermore, hackers can use the insecure connection between the system and Gigabyte servers to spoof the payload and implement a man-in-the-middle attack.
Eclypsium has included a list of over 270 Gigabyte motherboards affected by this issue with its report. The company is currently collaborating with Gigabyte and working on a solution (which will likely require a firmware update). However, there has been no official comment from Gigabyte yet.
