LED backlight as a backdoor

A funny trend in recent years in the PC manufacturing industry is the installation of LEDs in all components of the system unit. Somehow, the idea arose that a cool looking system unit would also work a little faster.



Trying to turn off the LEDs on his new Gigabyte graphics card, Graham Sutherland discovered that this LED backlight poses an unexpected security risk.



The key point in this vulnerability is the video card driver. Usually, it is expected that the driver is an abstraction layer that provides the user software with a secure interface for working with critical functions of PC hardware components. Instead, the driver from Gigabyte turned out to be rather just a shell that opens the entire SMBus bus directly to the user code level. This was done intentionally so that a program running under the rights of a regular user could freely access the WS2812 led controller using bit-bang. As a result, a hole was formed in the security layers, the purpose of which is to prevent the execution of malicious code on bare metal. The cherry on this cake is a detected PIC microcontroller connected to the SMBus bus, which can be reprogrammed, providing the hacker with permanent storage unknown to the operating system and central processor.



We highly recommend reading the original Twitter post chain, as it shows how the mechanism works, allowing you to install a backdoor on a PC under the guise of an innocent LED lighting controller.



Photo of the motherboard from Gani01 [Public domain] .