News Gigabyte allegedly included a weak and silent firmware update system susceptible to hijack

[mikeymikec]

Millions of PC Motherboards Were Sold With a Firmware Backdoor

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.

www.wired.com

Inaccurate headline, since "sold with a firmware backdoor" suggests an intention of Gigabyte to allow unauthorised (as far as the end user is concerned) entry to systems, whereas the body of the article suggests a heavily flawed silent updating system is susceptible to hijacking by malicious actors.

I really wish I knew why companies like Asus and Gigabyte insist on creating bad software and trying to push it on as many people as possible. Please, just concentrate on making sound hardware, and if you really have to write software, please keep it to a minimum and give us the opt-in choice of using it.

In keeping with Gigabyte's recent stellar PR tactics, no doubt they'll try to blame the messenger.

This page on my computer had an annoying tendency to spawn a pop-up that made reading the article difficult. 'Reader mode' in Firefox allowed me to read the article without further interruption (load the page then fire up reader mode ASAP before the pop-up appears).

 

[aigomorla]

I sort of gave up on gigabyte.
Im running out of vendors to pick from.
My current recommend is the Taichi, but they are sometimes very ugly boards.

I might give MSI MEG / Godlike a try however im always on HEDT, and when im not and on consumer, i don't really look at 500-700 dollar boards for consumer builds.

 

[Tech Junky]

500-700 dollar boards for consumer builds.

My cutoff is typically $250 since from there on up it's usually frivolous junk being added to pad their prices. If I want WIFI I can get a card for $20 instead of paying an extra $100+ and the same goes for TB ports. I picked up a TB4 card on Amazon for $60 when boards with it built in tack on at least $200 for the privilege to use the ports. And if you need higher than 1GE ports for networking it's funny how much more they all charge for those as well. I picked up a quad port 5GE NIC for $200 shipped. Now, most of them don't offer that speed anyway and slug it out with 1/2.5/10GE ports for a premium. Even with a 10GE NIC you can pick up a dual port for ~$200 and if you want more flex get on w/ SFP+ ports instead and pay up for the specific transceivers you want to use.

I stick with ASR at this point due to the lack of press (good thing) and they seem to be bult like a tank. They offer the higher end tech options w/o the huge markup for fancy RGB BS.

 

[aigomorla]

I stick with ASR

Yeah but they are ugly boards in some cases.
And when you got a pretty design, or your doing a snow white build, there is not many ASRock white boards i can think of.

 

[Tech Junky]

some cases

wouldn't matter if cases didn't have stupid windows for side panels. Absolutely no need to be peering at the guts of your PC.

 

[Hotrod2go]

Wired is just another website like many out there involved in activities about "News" promoting traffic with sensationalist headlines. However Gigabyte are not doting their i's or crossing their t's before releasing code like this without implementing better security. I think its just laziness or ignorance on the part of Gigabyte to allow this potential exploit.
PS; I have asrock, msi, asus & gigabyte boards.

 

[zir_blazer]

The whole point is that Gigabyte by default has enabled something equivalent to ASUS Armoury Crate, and that makes them suceptible against a man in the middle attack if the Gigabyte tool that is automatically installed and connects to Internet gets its servers hacked.

So many issues with Firmware lately and I don't see a lot of Coreboot mentioned here...

 

[mikeymikec]

The whole point is that Gigabyte by default has enabled something equivalent to ASUS Armoury Crate, and that makes them suceptible against a man in the middle attack if the Gigabyte tool that is automatically installed and connects to Internet gets its servers hacked.

So many issues with Firmware lately and I don't see a lot of Coreboot mentioned here...

I'm no fan of Armoury Crate, but it would be useful to know whether Gigabyte's thing is opt-in, out-out or opt-anything. At least AC can be avoided.

 

[OlyAR15]

The danger is kind of overblown, because a lot of articles barely mention that you have to install the Gigabyte software that checks for BIOS/UEFI updates. If you are smart enough to build a PC, you are smart enough to not install the software. Admittedly, I think you also need the software to control the RGB, which is yet another reason that RGB is the work of the devil. Turn that crap off, and just check manually on the Gigabyte website for BIOS updates and you don't have to worry about all this.

 

[Tech Junky]

RGB is the work of the devil.

Buy a case w/o a window! Windows are supposed to be on the inside on the drive not the case. Then again we already know people are dumb and ADD and like the pretty twinkles. If they want that go back to the 80's and get a damned Lite Brite. Much cheaper and less electrical costs monthly.

 

[zir_blazer]

The danger is kind of overblown, because a lot of articles barely mention that you have to install the Gigabyte software that checks for BIOS/UEFI updates. If you are smart enough to build a PC, you are smart enough to not install the software. Admittedly, I think you also need the software to control the RGB, which is yet another reason that RGB is the work of the devil. Turn that crap off, and just check manually on the Gigabyte website for BIOS updates and you don't have to worry about all this.

Actuallly, you do NOT need to install the Gigabyte software - it should autoinstall by default since Windows accepts whatever is on the WBPT ACPI Table with no way to disable it Windows side. The problem is precisely, than these things come enabled by default and you wouldn't know that until you notice that you have third party Software that you didn't installed yourself. It also means than if you reset BIOS defaults and forget to disable it before booting, you screw your Windows install with bloatware that may or may not be possible to fully remove.
Somehow Windows having no way to disable this doesn't gets the blame.

 

[OlyAR15]

Actuallly, you do NOT need to install the Gigabyte software - it should autoinstall by default since Windows accepts whatever is on the WBPT ACPI Table with no way to disable it Windows side. The problem is precisely, than these things come enabled by default and you wouldn't know that until you notice that you have third party Software that you didn't installed yourself. It also means than if you reset BIOS defaults and forget to disable it before booting, you screw your Windows install with bloatware that may or may not be possible to fully remove.
Somehow Windows having no way to disable this doesn't gets the blame.

I have one of the supposed vulnerable motherboards (Z690i Ultra). No Gigabyte software was auto-installed.

 

[Hotrod2go]

Notice bios F6B for my B650 Aorus Elite board out now, not updating as it lists only changing the default mode of download assistant utilities being changed. All the end user has to do is drill down in the bios where this is on the older F6A bios & turn the stupid thing off!

 

[mikeymikec]

The Register has provided more information:

Researchers pick holes in Gigabyte motherboard firmware

It's the 2020s and we're still running code automatically fetched over HTTP

www.theregister.com

Using OlyAR15's board as an example, the manual says this:

4-2 Drivers Installation
After you install the operating system, a dialog box will appear on the bottom-right corner of the desktop asking
if you want to download and install the drivers and GIGABYTE applications via APP Center. Click Install to
proceed with the installation. (In BIOS Setup, make sure Settings\IO Ports\APP Center Download & Install
Configuration\APP Center Download & Install is set to Enabled.)

https://download.gigabyte.com/FileList/Manual/mb_manual_z690i-a-ultra-series_e_1002_2304.pdf

It's not clear whether it's set to enabled by default, but talk on the Internet points very much in the direction that it is, for example:

If you've got a modern Gigabyte motherboard there's a BIOS setting you need to disable to avoid PC's latest security calamity

Gigabyte is also in the process of uploading beta BIOS fixes which should mitigate the issue.

www.pcgamer.com

It doesn't surprise me since Armoury Crate is also enabled by default.

 

[Shmee]

I sort of gave up on gigabyte.
Im running out of vendors to pick from.
My current recommend is the Taichi, but they are sometimes very ugly boards.

I might give MSI MEG / Godlike a try however im always on HEDT, and when im not and on consumer, i don't really look at 500-700 dollar boards for consumer builds.

My X570 Meg Ace was about $300, but I think the newer chipsets are running more now for the Meg Ace equivalent. If you aren't into RGB, I could also recommend the Meg Unify line. A nice black only board, and otherwise pretty much the same features as the Ace.

As for HEDT, I hope that there will be better options and competition come Zen 4 TR and Emerald rapids, but time will tell. I am also curious for the upcoming 14th gen Intel, hopefully will be good, and the motherboards will have enough IO.

 

[A///]

asus messed up with the soc voltage and armoury crate is terrible. gigabyte and this. msi and leaked keys. asrock and weird designs overpromising features with underbaked gooeyness. there's no good choice. our boards have become swiss army knives.

My X570 Meg Ace was about $300, but I think the newer chipsets are running more now for the Meg Ace equivalent. If you aren't into RGB, I could also recommend the Meg Unify line. A nice black only board, and otherwise pretty much the same features as the Ace.

As for HEDT, I hope that there will be better options and competition come Zen 4 TR and Emerald rapids, but time will tell. I am also curious for the upcoming 14th gen Intel, hopefully will be good, and the motherboards will have enough IO.

14th is raptor refresh. no change son io until arrowlake. lga18??

 

[mikeymikec]

asus messed up with the soc voltage and armoury crate is terrible. gigabyte and this. msi and leaked keys. asrock and weird designs overpromising features with underbaked gooeyness. there's no good choice. our boards have become swiss army knives.

Manufacturers make mistakes, we all do, that's something that has to be allowed for or you'd buy nothing at all. How they own up to those mistakes and do what they can to try and make the situation better is what counts the most.

Gigabyte has more than one count of weasel-speak and blaming the messenger to their name (e.g. the exploding PSUs and one of their responses to the AM5 voltage issue), Asus screwed up too in the AM5 voltage incident but has backpedalled to a more explicit and better position.

Armoury Crate / App Center seems to be a sign of the times whereby software makers enable lots of stupid features and users have the option to disable them. I'm not a fan of it but at least if the option is there I can avoid the fall-out of those features. Microsoft has been doing this kind of crap since forever (and Windows is largely less vulnerable because of those issues because of the in-built firewall), for example.

 

[A///]

Manufacturers make mistakes, we all do, that's something that has to be allowed for or you'd buy nothing at all. How they own up to those mistakes and do what they can to try and make the situation better is what counts the most.

Gigabyte has more than one count of weasel-speak and blaming the messenger to their name (e.g. the exploding PSUs and one of their responses to the AM5 voltage issue), Asus screwed up too in the AM5 voltage incident but has backpedalled to a more explicit and better position.

Armoury Crate / App Center seems to be a sign of the times whereby software makers enable lots of stupid features and users have the option to disable them. I'm not a fan of it but at least if the option is there I can avoid the fall-out of those features. Microsoft has been doing this kind of crap since forever (and Windows is largely less vulnerable because of those issues because of the in-built firewall), for example.

Asus's z690 issues come to light. i dunno if I can blame gigabyte for those psu's because they were guilty of giving the customers affected a hard time. they didn't manufacture the unit themselves. meic manufactured those but meic is known for making power bricks for other devices such as laptops. i have no idea what the hell gigabyte were thinking contracting them when the go to guys are channell well.

 

[mikeymikec]

i dunno if I can blame gigabyte for those psu's because they were guilty of giving the customers affected a hard time. they didn't manufacture the unit themselves. meic manufactured those but meic is known for making power bricks for other devices such as laptops. i have no idea what the hell gigabyte were thinking contracting them when the go to guys are channell well.

I'm not sure I understand your first sentence, that's precisely what I'm blaming them for (that and attacking other players like Gamers Nexus for bringing it to the public's attention).

If you put your name on something, you assume responsibility for it. It doesn't make any difference whether they manufactured it, there's no good reason to blame the messenger.

 

[A///]

I'm not sure I understand your first sentence, that's precisely what I'm blaming them for (that and attacking other players like Gamers Nexus for bringing it to the public's attention).

If you put your name on something, you assume responsibility for it. It doesn't make any difference whether they manufactured it, there's no good reason to blame the messenger.

You said you don't understand but go on demonstrating you fully comprehended it. My opinion on the matter is gigabyte may have had an idea later post release that something was afoot and didn't want to spend the money recalling, and it being their first foray into power supplies as i know it didn't want to ruin their good name, whatever that was. every company has put out a stinker or two and tried covering it up sadly, even the first party ones. gigabyte's blame should be launched at how they handled the fall out. a lot of shame for meic because they were way out of their depths making a psu for another company imo.