Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Integrity of BIOS update?
10 points by rxlim on June 11, 2017 | hide | past | favorite | 6 comments
I want to update the BIOS on my Gigabyte motherboard as this hopefully solves a problem. However, the archive containing the BIOS update and flashing tool can only be downloaded over http and there is no way to verify it's integrity as neither signed or non-signed checksums are available.

I'm extremely uncomfortable with just installing the update without being able to verify it's integrity, as I would forever think about if the BIOS has been modified in case the download server has been compromised or by MITM attack while I'm downloading.

What can I do?




In theory, you could probably call Gigabyte and ask them to mail you the BIOS update on disk or CD or something (you know, the old fashioned way), and/or you might be able to tell them that you feel insecure with plain http, and maybe they'd change it for you...

But what you're saying points to a larger problem. How do you know that anything you download from any vendor (and that includes such hallowed things in the industry as Apple/Ubuntu/Red Hat/Microsoft/Google updates), is really secure?

The only way to get true security for anything is to build your own processor, build your own PC, write your own operating system, build your own network card, and then hope that there aren't any bugs...

Historically, things that were once thought to be secure -- have been proven over and over again not to be. Case in point: Windows NT -- it had labels all over the box, to the effect, "It's secure, it's secure". Well, fast forward 17 years or so. Numerous incidents and issues have historically proven those assertions to be in error... don't take my word for it... look at the history... Google "Windows NT security vulnerabilities" and you can also add the word "historical" in there, if you want.

That, and I'm pretty sure as a novice computer historian, that history repeats itself, although chances are that your BIOS might be perfectly safe even if you do download it with http (although, make no mistake about it, you are taking a chance, so "chance-taker beware", as the old saying goes...)

Computer security is a tough business, because on the one hand there's too little security, and on the other is outright paranoia... what's the correct balance between those two extremes? I sure as heck don't know...

Anyway... good luck with your BIOS update...


Good points. I must admit that I have not contacted Gigabyte as my experience with such large companies tells me that I will only get elevated blood pressure and absolutely no usable answer.

My main concern is not if the BIOS is secure, I'm very sure it's full of security vulnerabilities like most other software I use, but I have decided to trust Gigabyte like I have decided to trust the developers who build the Linux distro I'm using in that they are not malicious and trying to steal my information. The packages in my Linux distro are signed, so I can verify that they have not been modified since they left the developers machine, but I can't do the same thing with the BIOS update and that's what makes me uncomfortable.


I explored this issue many years ago and, at least at the time, it was my understanding that for many motherboards it's simply not possible to introduce unsigned code through software alone.


I second this, usually bios updates are signed

you could always check if there is a signature with binwalk or smtg if it makes you feel safer


I did run an older version of binwalk on the firmware image, but it was unable to unpack anything and only printed false positives. I have now tried the newest version and it's able to unpack everything and display a lot of information. The PE modules in UEFI seems to be signed as these signatures are found many times:

  Certificate in DER format (x509 v3)
  SHA256 hash constants, little endian
Very interesting to dig around in the firmware, I even found the boot splash image. Definitely a time sink, but fun.


Download the file in Starbucks + 5 other locations. Check sha1sum. Though not useful in this situation, but better buy reputed server mobo.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: