Asus Z390 motherboards found to be automatically installing software without user consent

With the launch of Intel’s new 9th Gen processors and the Z390 chipset, you might run into a bit of a problem because the Windows 10 1809 ISO images don’t have basic drivers for the chipset to enable things like networking. Microsoft’s opening for drivers to be submitted for inclusion in the base ISO ended long before the Z390 family was ready, and this means that you’ll either be installing drivers for networking through a USB flash drive or a DVD. ASUS seems to have gone a different route with their new boards by including pre-loaded drivers and an updater app, and these will be automatically installed on your new installation of Windows without you needing to lift a finger. It’s a convenient feature, but it’s the way ASUS went about it that may be problematic.

TechpowerUp discovered the feature while testing an ASUS Z390 Maximus XI Extreme motherboard ahead of the Intel Core i9-9900K launch review embargo, with the board sitting on BIOS version 0506. While setting up the system for benchmarking ahead of the review, it became immediately obvious that while the system still wasn’t connected to the internet, it had already installed a network driver along with a stub ASUS Armoury Crate, and an auto-updating service set up by the motherboard.

The text in the BIOS that describes the feature says, “The ASUS Armoury Crate is a fixed Advanced Configuration and Power Interface (ACPI) table that provide (sic) Windows with a platform binary that the operating system can execute”. ACPI tables are fairly common in the hardware industry, but they’re not that common on consumer motherboards. The idea is that you’ll always have at least one other computer, or a DVD drive, to use to install the software, so it’s not necessary. It’s much more common for specialised machinery and IoT devices which need a driver for the operating system they’re loading, in case they need to fetch new firmware images.

Microsoft introduced the feature in Windows 10 and calls it the Windows Platform Binary Table (WPBT). It’s used by companies that need to secure their devices against theft, by having a driver or process that is executed as part of Windows when it pulls the executable from the motherboard. Anything from “phone home” kinds of software to secure two-factor authentication before Windows even loads is possible with WPBT.

ASUS Armoury Crate will deliver a driver to Windows through WPBT, which loads and executes the driver installation during initialisation. This is problematic for two reasons – one is that unless you disable the feature in the BIOS, the motherboard will always check for, and unpack the files and the driver into C:\Windows\System32 on every boot. If there’s ever a problem with the driver, Windows won’t always know to not load it. Uninstalling Armoury Crate from Windows also doesn’t disable or remove the ASUS Update utility, which will always phone home on every boot. Despite ASUS’s best intentions, Armoury Crate seems to meet the definition of a rootkit.

Two, this opens up an attack vector for malicious actors to customise their own firmware and insert malware into the WPBT payload, potentially leaving users at risk of constant virus infections even if the OS is reinstalled or the hard drive is replaced. Because WPBT executes any software that it is told to run before Windows even starts up the desktop process, an attacker could find a vulnerability in the network driver as it’s being installed and run, and find a way into the computer as it boots.

WPBT is not restricted from accessing the contents of hard drives, and can replace and write files to a Bitlocker-encrypted drive because it runs after Windows decrypts the drive. According to Microsoft’s documentation, any binaries that are delivered as part of WBT can be copied onto physical memory and reside there indefinitely, and may even be executed before the boot loader finishes its work.

Proceed with caution

There’s a small cottage industry around supplying people with custom BIOS firmware to unlock and enable experimental features on motherboards that don’t ship with them out of the box. It is very, very easy to install a tiny key logger, a VNC client, something that takes desktop screenshots and uploads them to a remote location, or even straight up ransomware through WPBT. It bypasses all software protections like Secure Boot and, as mentioned before, can read and write to drives encrypted with Bitlocker. With things like this, you just can’t take chances.

Lenovo got into hot water over the use of ACPI tables to install and set up OneKey Optimiser on laptops that had the Lenovo Service Engine setting enabled, without the ability for the user to disable it, and went on to alter key files used by Windows 8 to run additional programs and setup without user intervention. If that wasn’t bad enough, there was an exploit for it that could be executed remotely, without any user intervention, by spoofing one of Lenovo’s servers that would deliver the OneKey app and other software at boot time. Success would give the attackers the ability to remotely execute code before the user had logged on to the system in an automated fashion.

Perhaps you also remember the issue of the Lenovo Yoga 920 not allowing installations of Linux or even Windows 10? At the time, no-one knew exactly how Lenovo was deploying Samsung’s SSD driver and blacklisting the one that comes with Windows 10 by default. Well, the company may have been using WPBT to do it, and you may recall that Lenovo had to issue a BIOS update to fix the problem.

TechpowerUp also mentions the possibility of the feature not being GDPR compliant, leaving ASUS vulnerable to potential fines and a product ban if they do not make changes to disable the feature by default. The motherboard maker has not commented on the story run by TechpowerUp, and it is advised to all NAGlings reading this that you disable the service until ASUS announces plans to update it and make it more secure.

The Vikings TV show music composer is working on Assassin’s Creed Valhalla