Gigabyte’s Firmware AutoUpdate Characteristic Is Fairly Insecure

The Characteristic Is Invisible To You, However Not To Hackers

Gigabyte had good intentions designing a function on their motherboards that calls residence each reboot to see if there may be any new firmware which could possibly be put in robotically and with out the consumer needing to do something.  From the Ars Technica article it looks like this isn’t a lot a BIOS replace however firmware for the assorted options your motherboard presents, be it audio or networking.   We’re not large followers of computer systems silently phoning residence, and whereas Gigabyte meant nicely they need to have included a strategy to disable it for customers that don’t need their laptop updating with out their intervention.

Nevertheless there’s a large drawback with Gigabyte’s firmware autoupdate, it’s laughably insecure and is getting used to load software program onto unsuspecting folks’s computer systems.  Researchers at Eclypsium found the invisible updater downloads code with out correctly authenticating it, and even does it over HTTP!  That provides attackers an enormous assault floor, as they may dump nearly any code onto a machine, with the consumer none the wiser.

Even worse, it’s unlikely this may be mounted with an replace which leaves hundreds of thousands of Gigabyte motherboard house owners vulnerable to assault till their subsequent motherboard improve,