“There’s no intent here, just sloppiness. But by leaving security vulnerabilities in the invisible code that lies beneath the operating system of so many computers, it nonetheless erodes a fundamental layer of trust users have in their machines. Smith acknowledges that Gigabyte probably had no malicious or deceptive intent in its hidden firmware tool. But for me, this feels like it crosses a similar line in the firmware space.” “I can’t speak to why Gigabyte chose this method to deliver their software. “You can use techniques that have traditionally been used by malicious actors, but that wasn’t acceptable, it crossed the line,” Smith says. Sony had hidden digital-rights-management code on CDs that invisibly installed itself on users’ computers and in doing so created a vulnerability that hackers used to hide their malware. He compares the situation to the Sony rootkit scandal of the mid-2000s. Smith has published research on firmware vulnerabilities and reviewed Eclypsium’s findings. Given the millions of potentially affected devices, Eclypsium’s discovery is “troubling,” says Rich Smith, who is the chief security officer of supply-chain-focused cybersecurity startup Crash Override.
“I still think this will end up being a fairly pervasive problem on Gigabyte boards for years to come,” Loucaides says. Release notes accompanying the update state that it "addresses download assistant vulnerabilities" uncovered by Eclypsium.Įven now that Gigabyte has pushed out a fix for its firmware issue-after all, the problem stems from a Gigabyte tool intended to automate firmware updates-Eclypsium’s Loucaides points out that firmware updates often silently abort on users’ machines, in many cases due to their complexity and the difficulty of matching firmware and hardware. According to Gigabyte, that code is now cryptographically signed and verified, "thwarting any attempts by attackers to insert malicious code," and the server they're downloaded from is also authenticated with a cryptographic certificate. But a day after Eclypsium revealed the firmware issue, Gigabyte announced updates to its firmware with "enhanced verification" of the code its updater program downloads to machines that use its motherboards. Gigabyte did not respond to WIRED’s multiple requests for comment regarding Eclypsium’s findings.
0 kommentar(er)
