• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Protection against backdoor in Gigabyte motherboards

IsHacker

IsHacker

Joined
May 23, 2024
Messages
65 (0.15/day)
System Specs
System Name Rocketlake Workstation+ (Yes, it's a workstation, not a gaming PC, so don't mind the GPU)
Processor Intel core i5-11600KF (Overclocked to 5.6 GHz)
Motherboard Gigabyte Z490
Cooling Deepcool Liquid Cooling (AIO)
Memory DDR4-3200 / 2x32 GB (Total 64 GB)
Video Card(s) BIOSTAR GT 730 (Fermi edition) / 4 GB GDDR3 (Overclocked to 850 MHz)
Storage Kingston SSD 128GB L50361-00, Crucial 240GB CT240BX500SSD1, Toshiba DT01AC HDD
Display(s) AOC E970Sw - 1970W (overclocked to 76 Hz)
Audio Device(s) iBall stereo speakers
Power Supply Thermaltake Smart 500W + Gigabyte GP-450B (Total 950W)
Mouse Dell USB Mouse
Keyboard SIGMACHIP USB Keyboard
VR HMD None
Software Linux Mint (always the latest version) + Windows 11 Enterprise Insider Preview (Dev channel)
Benchmark Scores Any free and trusted benchmarking software out there? I don't want to install stuff from steam lol
I just found this:
eclypsium.com

Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise

Eclypsium Research discovers that Gigabyte motherboards have an embedded backdoor in their firmware, which drops a Windows executable that can download and execute additional payloads insecurely. The backdoor affects gaming PCs and high-end computers.
eclypsium.com eclypsium.com
I'm concerned about this, because my mobo is on their list. I've already disabled "APP center download and install" in BIOS. Is there something else I can do?
 
The article reads suspected back door behavior, but haven't a conclusion yet if it's actually an issue.

Now to confirm if the stuff is real or not, would need to contact Gigabyte and ask them if they are partnered up "working on the issue" with Eclypsium for a resolve.

Perhaps look for a follow up article, this one is nearly 2 years old.
 
ShrimpBrime said:
The article reads suspected back door behavior, but haven't a conclusion yet if it's actually an issue.

Now to confirm if the stuff is real or not, would need to contact Gigabyte and ask them if they are partnered up "working on the issue" with Eclypsium for a resolve.

Perhaps look for a follow up article, this one is nearly 2 years old.
Click to expand...
Gigabyte claims they made it so that the BIOS update files and the executable is checked if it's official or not, before executing it. But I don't think so. I'm still able to flash modded Bioses and stuff through Q-flash.
Yes, that article is 2 years old. I'll see if I can find a follow up article. I'm currently on the latest official BIOS (FE).
 
Last edited:
IsHacker said:
I'm concerned about this, because my mobo is on their list.
Click to expand...
Ummm, what motherboard and what list are you talking about? The Z490 shown in your System Specs is NOT on the list linked to in your post above.
 
The best solution, by a huge margin of victory, is to not run any of this shitware in the first place. Self-executing crap like these UEFI software installers are nothing more than rootkits by another name.

Nothing any of these "suites" do is unique to that software, and bundling the useful things it does do inseparably with vendor-bloat, adware, telemetry, notification spam, and data-harvesting is not cool.

Don't support it, don't encourage it, and most of all don't allow it through inaction/complacency. Disable it in the BIOS on first boot, and remember to disable it again if you do any BIOS updates that reset your settings.
 
Bill_Bright said:
Ummm, what motherboard and what list are you talking about? The Z490 shown in your System Specs is NOT on the list linked to in your post above.
Click to expand...
Oh sorry, it was a different one. It's a H510M H rev 1.3

Chrispy_ said:
The best solution, by a huge margin of victory, is to not run any of this shitware in the first place. Self-executing crap like these UEFI software installers are nothing more than rootkits by another name.

Nothing any of these "suites" do is unique to that software, and bundling the useful things it does do inseparably with vendor-bloat, adware, telemetry, notification spam, and data-harvesting is not cool.

Don't support it, don't encourage it, and most of all don't allow it through inaction/complacency. Disable it in the BIOS on first boot, and remember to disable it again if you do any BIOS updates that reset your settings.
Click to expand...
I did uninstall that app center crap from windows 11, but I actually need some of the other gigabyte programs like Easytune. App center gets installed automatically if that option is enabled in the BIOS.
 
Last edited:
IsHacker said:
I actually need some of the other gigabyte programs like Easytune.
Click to expand...
Easytune is useless. It will do a very poor job compared to manual tuning and if you really can't be bothered to learn the very basics of overclocking, you can just use it once, write down what settings it's applying, uninstall the software, and then apply those settings yourself in the BIOS for a true, bloatware-free version of the exact same (pathetic) overclock.

But yeah, manual tuning will get you a better undervolt, a better overclock, and you can do more thorough stress testing and stability testing yourself.
 
IsHacker said:
I'm concerned about this, because my mobo is on their list. I've already disabled "APP center download and install" in BIOS. Is there something else I can do?
Click to expand...

This is most likely the same garbage and CVE madness like ASUS armory crate.

You need to always disable that option after every firmware update of the mainboard. Just be 100% sure it is disabled when booting your mainboard.

Note: MSI has similar software with also CVE. I have not yet bothered checking if biostar and asrock is affected.

In my point of view - it happened once, you got a CVE, it will happen with a high chance again.
Note: This is for windows operating systems only. When you boot something else you are not affected.
 
Chrispy_ said:
Easytune is useless. It will do a very poor job compared to manual tuning and if you really can't be bothered to learn the very basics of overclocking, you can just use it once, write down what settings it's applying, uninstall the software, and then apply those settings yourself in the BIOS for a true, bloatware-free version of the exact same (pathetic) overclock.

But yeah, manual tuning will get you a better undervolt, a better overclock, and you can do more thorough stress testing and stability testing yourself.
Click to expand...
Ok, thanks.
_roman_ said:
Note: This is for windows operating systems only. When you boot something else you are not affected
Click to expand...
Are you saying this backdoor can only work on windows? It's an UEFI low-level rootkit, so it can affect any operating system. It can be used to drop ANY executable, and the attacker can use some ELF binary which can be executed on linux and other OSes.
 
Last edited:
IsHacker said:
Are you saying this backdoor can only work on windows? It's an UEFI low-level rootkit, so it can affect any operating system. It can be used to drop ANY executable, and the attacker can use a ELF binary which can be executed on linux and other OSes.
Click to expand...

My gentoo linux installation is from 2006. Asus armory crate notifcation pop up windows showed only in windows 11 pro, left of the clock of the taskbar. That stuff did not pop up in gnu gentoo linux.

I do get the point that ASUS for example want people to install software which "officially" help the customer with updates and such. A good idea but very bad execution.

I do not want to make people angry with statements like. Windows sucks and such. In my point of view - a windows problem. It's the microsoft windows operating system fault to download malware software in the first place without the permission of the user. When you get a pop up window asking for installation - I assume something was already downloaded and executed without the user permission.

I just opened the link from post #1 and quote that

  1. Eclypsium automated heuristics detected firmware on Gigabyte systems that drops an executable Windows binary that is executed during the Windows startup process.
Click to expand...

After reading this - it is similar what MSI and ASUS do on their mainboards.


The november CVE for my ASUS Prime X670-P mainboard afffected any operating system, which was some sort of bootlogo issue. Always check the CVE first. I want to restrict my statement only to my ASUS mainboard. Too much binary blob who no body really knows what it does. I assume other mainboard brands are not better. Coreboot or similar project could fix that but there is hardly any mainboard available for purchase.

Note: I do not want to have a mainboard which execute without permission any extra software during the bootup process.
 
_roman_ said:
My gentoo linux installation is from 2006. Asus armory crate notifcation pop up windows showed only in windows 11 pro, left of the clock of the taskbar. That stuff did not pop up in gnu gentoo linux.

I do get the point that ASUS for example want people to install software which "officially" help the customer with updates and such. A good idea but very bad execution.

I do not want to make people angry with statements like. Windows sucks and such. In my point of view - a windows problem. It's the microsoft windows operating system fault to download malware software in the first place without the permission of the user. When you get a pop up window asking for installation - I assume something was already downloaded and executed without the user permission.

I just opened the link from post #1 and quote that



After reading this - it is similar what MSI and ASUS do on their mainboards.


The november CVE for my ASUS Prime X670-P mainboard afffected any operating system, which was some sort of bootlogo issue. Always check the CVE first. I want to restrict my statement only to my ASUS mainboard. Too much binary blob who no body really knows what it does. I assume other mainboard brands are not better. Coreboot or similar project could fix that but there is hardly any mainboard available for purchase.
Click to expand...
I know, I hate windows too. I use Mint as my main OS for daily tasks and programming, but have to use windows for cryptomining and gaming (nouveau sucks, and my GPU is old and unsupported on newer linux kernels, the PC with the H510M H has a stupid GT 610). I've heard of coreboot, but very few motherboards are supported. And it doesn't matter which executable the manufacturer drops. I am talking about the attacker, not the motherboard manufacturer. The attacker can drop any executable of their choice, even ELFs and .sh scripts if the user is found running linux.
 
Last edited:
I do not know how the mechanism work.

It's obvious that the setting of that uefi feature is stored in the flash.
Does the windows operating system just checks the state of that variable in uefi and download the stuff? Is there some sort of url with or without an ip address passed to the operating system?

Only with that knowledge I may have an opinion if that issue may happen with a binary linux mint kernel for example. I see it more problematic to use prebuild kernels and packages from binary distros as self build kernels and packages. Big topic which goes off topic.

Security is important. Maybe someone has more details on how it works in the use case. Gigabyte mainboard + windows 11 pro operating system.

Secure boot most likely will not prevent you from that gigabyte / ASUS / MSI mainboard automatic software download and software executeted problem during microsoft windows startup.
 
Alright, thanks.

IsHacker said:
I just found this:
eclypsium.com

Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise

Eclypsium Research discovers that Gigabyte motherboards have an embedded backdoor in their firmware, which drops a Windows executable that can download and execute additional payloads insecurely. The backdoor affects gaming PCs and high-end computers.
eclypsium.com eclypsium.com
I'm concerned about this, because my mobo is on their list. I've already disabled "APP center download and install" in BIOS. Is there something else I can do?
Click to expand...
@Assimilator what is so funny about my posts? And how are you consistently finding my threads and putting a "haha" reaction? Have you been given a job to react with "haha" to all of my posts?
 
You must log in or register to reply here.

Similar threads

D
AsRock B650m PG Lightning Wifi + Ryzen 9 7950x3d
Replies
5
Views
1K
sudothelinuxwizard
sudothelinuxwizard
AleksandarK
Four UEFI Flaws in GIGABYTE Motherboards Expose 240+ Models to Persistent Bootkits
2
Replies
36
[XC] Oj101
[XC] Oj101
Z
OemID mismatch when I try to upgrade the BIOS of my motherboard using the official Gigabyte latest BIOS upgrade file...
2
Replies
29
Views
4K
ziomario
Z
Z
Using Efi-Flash to avoid the "invalid bios image" error
Replies
0
Views
729
ziomario
Z
A
Failed BIOS update using flashrom with a raspberry pi on a Motherboard fonction Flashback doesn't work
2 3
Replies
51
Views
4K
LittleBro
L
Back
Top