LEDs Light The Way To This Backdoor

A curious trend for some years in the world of PC hardware has been that of attaching LEDs to all the constituent parts of a computer. The idea is that somehow a gaming rig that looks badass will somehow be just a little bit faster. As [Graham  Sutherland] discovered when he wanted to extinguish the LEDs on his new Gigabyte graphics card, these LEDs can present an unexpected security hazard.

The key to their insecurity comes in the Gigabyte driver. This is a piece of software that you would normally expect to be an abstraction layer with an interface visible to your user level privilege, and a safe decoupling between that and the considerably more security sensitive hardware layer from which the LED bus can be found. Instead of this, the Gigabyte driver is more of a wrapper that simply exposes the LED bus directly to the user level. It’s intended that user-level code can easily bit-bang WS2812 LEDs without hinderance, but its effect is to provide a gaping hole in the security layers intended to keep malicious code away from the hardware. The cherry on the cake is provided by the discovery of a PIC microcontroller on the bus which can be flashed with new code, providing an attacker with persistent storage unbeknownst to the operating system or CPU.

The entire Twitter thread is very much worth reading whether you are a PC infosec savant or a dilettante, because not only should we all know something about the mechanisms of PC backdoors we should also be aware that sometimes a component as innocuous as an LED can be a source of a security issue.

Thanks [Slurm] for the tip.

Gigabyte motherboard picture: Gani01 [Public domain].

41 thoughts on “LEDs Light The Way To This Backdoor

  1. Never liked those LEDs, just a waste of energy. And now we know what controls them can be used as a security breach….

    But this is a nice find, hope they fix the driver issue for external hackers, but leave it open for the owner, I wonder if we could use that PIC for something else, maybe remove the LEDs and add a port for GPIO.

    1. That does sound interesting.

      Another possibility is to add a cheap plastic fiber optic strands to one or more leds for fiber optic communication, potentially bidirectional even if the microcontroller is capable of reading the led(s) like a sensor.

      I wonder how much bandwidth would be available in such a setup?

    1. In theory it would not be hard to OOK modulate an LED fast enough to be invisible to the user, but quite adequate for repeated transmission of a stored, sniffed password or network credentials to a suitably equipped individual. People have already demonstrated exploits of strobing data LEDs on rack mount modems and the like.

        1. The Linux kernel has even supported user supplied Morse code on the keyboard LEDs since at least 2.4.19-rc1 for kernel panics.

          Clearly, someone now needs to update the code to support MB LED bling.

        2. In “The Cryptonomicon” one of the characters uses blinks of a keyboard LED on his laptop to output data in Morse code to monitor a background program he stealthily wrote while working on a fake program to mislead the people who put him in jail. They want him to reveal the location of a lost WW2 Japanese hoard of stolen gold and have fixed the laptop to a pedestal containing hidden Van Eck equipment to copy the display to another monitor. The instant he has the fake program display the fake coordinates, he’s released – having memorized the Morse blinked real coordinates. He and his partner who have been searching for the hoard then go to the real location to retrieve the gold. IMHO in a rather dumb way because they destroy all the artifacts, only caring about the monetary value of the gold they’re made of.

          1. Hmmmm, a WW2 story involving a gold stash that isn’t a nazi gold stash. Definitely a change from the standard narative. Might have been a good plot for Indiana Jones and The Harbor of Peril. Otherwise I would think there are much better ways of covertly sending yourself a messsge from a computer you’re looking at, unless you really hate blinking and have super human photo receptors in your eye that can reset from an activated state so you don’t need to worry a persitent image on your retina will mistske successive flashes appear solid. Just have windows notifications pop within a time certain time interval. Nobody is on the look out for steganography in windows alerts, they’re too distracted figuring oit why in the hell some email from 3 weeks ago just randomly popped as new

      1. You can bitbang it using an MFM encode or even a Manchester encoding. I was thinking about: these led are soldered or on a connector? Because if you can change them with an IR receiver and and IR led, and reprogram the PIC with the IRdA protocol, you’ll get something useful…

      1. And a bellwether is a castrated ram with a bell on a collar, which the rest of the flock is trained to follow. The shepherd leads the bellwether and the flock follows.

        Now you know what people mean when they talk about the “bellwether counties” in the USA that as long as the county has existed has always voted for the winner in our Presidential elections. IIRC there’s only one or two left that have always voted for the winner.

    1. Maybe I’m OCD? It bothers me to have hardware that isn’t fully functional, drivers installed. If It’s there I have to make it go!

      Give me a laptop that still has a telephone modem in it… I have to make it work. I haven’t had an actual telephone line in about 20 years! I have a VoIP box that I plug it in to for testing.

      My RTLSDR stick is a minor annoyance. Why? Because it was made to be a TV receiver. I can install the driver to make it such, though that is useless to me on this side of the ocean. Or I can install the RTLSDR software which make it useful as an SDR but does not with enough bandwidth to accomplish it’s original task and does not make any use at all of the tv decoding part of it’s chip. I bought it to be an SDR but I want the driver to do both just because!

      Anybody else?

      1. No. I like my devices to do a specific list of tasks that [bold] I [/bold] have defined NOT a list that some corporate marketer defined. Anything beyond my list is regrettebale and I would seek to disable where conveniently feasible. Anything actively contravening my list I would seek to disable even where extremely difficult.

      1. I just did exactly that a couple of days ago on a new Asrock AMD Ryzen 5 PC. Set the LED controller to disabled in UEFI. If yours can’t, complain to the motherboard manufacturer that you want an updated BIOS with the ability to completely shut off the silly and useless LED thing.

  2. Stands to reason. The more attention is spend on superfluous fluff, less is spend on things that matter. Pre-pimped components are lame anyway.

    (angry old man mode) Back in the day when men were men and components were connected with parallel ribbon-cables, we’d install florescent tubes in and under our towers with a 12 volt transformer unit arbitrarily dangling between the high frequency parts… These kids with their per installed RGB led think they are cool?

    1. Parallel ribbon-cables and florescent tubes? Such a momma’s boy!

      In my day all we had for connecting things was real string made ourselves from roadkill cat-gut! LEDs? Flourescant tubes? No! We had whale oil!

      Now that’s how boys grew into real men!

      1. Tish, you were lucky!. Our oscillators actually used to be a family of 13 banging their fists on quartz rocks to induce a clock while paddling like mad on trainer bikes hooked up to old rusty dynamo’s, and if we’d lose clock sync of momentum, father would connect jumper leads to our nipples and shock us to death. And that was only to drive the radio.

        1. You spoiled modern kids with your dynamos, radios and nipples!

          When I was young, our computer was called an abacus, and we had to make it ourselves out of wood we chewed to size and string made of tooth-stripped tree-bark (we really used our teeth a lot).

          And if we wanted flashy bling on our “computers”, we had to wait for a stormy day, climb to the highest peak, and hold our “computer” up high so it would get hit by lightning, giving it that stylish flaming look (non-lightning fire not being invented until several years later). Sure, it torched us from the inside and set our bones on fire, but back then, that was just the price of coolness (had irony been invented yet, I’m sure the internal incineration requirement for coolness would have been considered as such).

  3. On the fun side is that it gives someone the opportunity to make the PIC do something useful. I would want the LEDs to start flashing yellow if the card was getting hot and red (or color change) if the card was Over Temp. Maybe communicate SOS if the unit had a fault. Fade in on boot up then fade out.
    As long as the PIC doesn’t have access to anything important it might not be a problem. I like the temperature idea myself. A few sensors and you can potentially determine dirt infestation on the heat sink (example). Who knows?

  4. The only type of LED i want to install is a cool white light strip for messing around with the hardware under the desk with the power off.

    I still remember the grade school days when I knew very little about electronic and would lights in a lot of things. That stopped very quickly as I learnt to solder and made my PCB long before high school. These days I rarely use LED except when they perform a function. The blue light or RGB everywhere shout cheesy cheap Chinese electronic looks.

  5. Well, this has honestly been a known security issue for quite some time.
    One simple solution is to not install the drivers for the RGB part of the card, leaving the microcontroller to run its own show. (sometimes the cards have an RGB header and can get synchronization/color data from an external USB connected RGB controller, this being far and away more secure.)

    But a lot of manufacturers doesn’t like adding extra connectors, and instead toss the RGB onto the nearest I2C or similar buss that they can find.

    GPU vendors (Nvidia, AMD) could add an “RGB” buss to their chips, as to provide a secure method of doing it without exposing anything other then the intended target. But since non of them have done it yet, nor have any of the two put RGB on their reference designs, then it can be safe to say that they probably also consider the market trend silly.

    Otherwise PCIe-SIG could always make pin 32 side A into a dedicated bidirectional, low bitrate connection explicitly used for “Spiffing up the visuals” of the device, while also ensuring that the buss is segregated from other buses, and thereby ensuring at least basic security. But I guess this organization is even less interested in doing that…

  6. LOL – Great find.

    Where would I go to find a guide showing ALL the different processors within a modern PC?
    (I don’t mean at the abstract level of a CPU, …. I mean at the nity-gritty, nuts and bolts
    level of there is a processor that runs stored program here – show it.
    Including the ones in SD cards, the one in the mouse, and in the USB controller, and in the RAM (if there is one the status information), and the several processors which make up an abstract CPU, processors in network interface, management engine(s), etc.

    Just to get some idea of where all those interesting attack/defense surfaces even are.

    (The IBM PC tech ref manual had full schematic. Where can we see inside the
    black boxes now?)

  7. So who reviews/ensures security of drivers in closed source OS, like Windows? (Does anybody)
    Is it just up to people reverse engineering the drivers to see what they actually do?

    Is there any comparative review site that compares the security and information gathering practices of various drivers?
    (How much data do they gather and ship off to whoever, how many extra holes do they punch in the OS security, etc.)
    Is this all done just on trusting the various OEMs/security through obsucirty?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.