17
Awlex
1y

Jesus fuck Gigabyte motherboards downloading and installing firmware updates over HTTP no fucking S

https://tomshardware.com/news/...

Comments
  • 4
    Woah! I know I have had Asus laptops update firmware.
  • 7
    I'm on Asus mobos, but their "grid install" is among the first things i disable. I update the bios via USB thumbdrive at my decision. Well, that and not using Windows in the first place.
  • 5
    The problem isn't whether the connection is TLS-protected or not. It is that no cryptographic signature is checked on the downloaded firmware blob.
  • 0
    @Oktokolo Doesn't work, as MSI and their customers have found out the hard way: https://cybernews.com/news/...
  • 0
    @Fast-Nop Well, securing the customer side obviously is only one part of the problem. No update process is safe when the very source of the update gets compromised.
  • 0
    @Oktokolo The problem is, how to do the key update? That would need a secure channel, and that can be e.g. HTTPS. But if you have to trust that channel for a key update, you can as well trust it for the actual software update.

    Btw., Linux distros with signed packages over plain HTTP are in a different situation - HTTPS isn't useful for securing the data because there are a lot of mirrors, and each mirror could tamper with the data, so that requires package signing. That's different from firmware that should only be downloaded from the vendor.
  • 1
    @Fast-Nop that works fine as long as the keys can be revoked. Of course at a certain point you have to trust something. If a firmware author doctors it you are screwed anyway.

    You have a procedure with usb stick to introduce new keys. It's a manual action.
  • 0
    @mansur85 used to be my goto brand. Got a Gigabyte now but mine is not on the list (too old) but I might go back to asRock depending on their offering at the time of the next upgrade.
  • 0
    And this is why I recommend to move away from commercial grade hardware and go to more enterprise hardware like Lenovo business machines (Thinkstation, ThinkPads) or HPE. Their firmware update process is tedious but at least you can rely on it.

    Well, still disable telemetry.
  • 0
    holy vulnerabilities, batman!
Add Comment