“Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.” (1)
This sounds just like the same story I wrote here nearly two years ago (6/22/2023 as I write) about Apple. (2) Except now, we find that a popular motherboard maker is imbedding internet access code in the boot-up software that lets their boards start and run, in motherboards that people use to try to get away from commercial and governmental surveilance by building their own secure machines.
It’s not that this was unpredictable. There has always been a security issue with closed source boot firmware. It has never been fundamentally trustworthy, but a foundation of sand upon which to try to erect a safe and secure computing structure. Gigabyte’s present problem is just one real material example of what is really going on. What other computer builders and chip makers are doing or not doing, we can only guess. How it can be misused, we don’t know. Is it intentional and malicious, or just crappy code? It would be great to see the code and make sure our computers, unlike my MacBook of three years ago, are really ours. And it is absolutely necessary that the computer owner at least has a kill switch on any such code, or else, it’s not their machine.
Well, we can look at some boot-up code. Open source boot-up software is available from coreboot (3). I recently bought a refurbished Lenovo T440p laptop from Minifree Ltd (4) that uses coreboot in a product it calls Libreboot. Some builders include a coreboot option, the StarLite MK IV, for example (5). My experience with Libreboot has been good.
-George
Leave a Reply