That’s right, they packed a EXE installer that autoruns during Windows Installation to add ASUS bloatware onto your supposedly clean OS installation.
This is pretty much the perfect attack vector for replacing that executable with pretty much ANY executable, which is the scariest part. Let alone the privacy implications, where the software doesn’t prompt the user regarding data collection policies in the EU.
Remember that botched version of Audacity on FossHub a while back? As an April Fools prank, a technician can basically load that EXE which deletes your MBR/GPT so that Windows can never be installed on that motherboard.
Like I said, a technician with physical access before the end user gets their machine can easily pull a April Fools prank and replace the WPBT binary with a MBR wiper and give that to someone.
Considering how easy it was for FossHub to get compromised with MBR wiping binaries, You bet someone can replace the WPBT binary with a MBR wiper or a rootkit. (Which this ASUS software is already a rootkit)
The fact they pull this without any prompting and by default is absurd, it should be an opt in. For WIndows, you should have some kind of optional menu to add additional modules from the Mobo and prompt you as well.
Now, if you could customize what gets preloaded, that would actually be a pretty neat feature. For example, say you have a device you’ve added in your computer that requires drivers (a GPU for example). Being able to repload these into the Motherboard, and choosing to install it during the windows install process, that would actually be very convenient and neat.
Also, if bloatware is there, it can probably be overwritten, so mabye we’ll see someone do something cool with it?
Like have a socketed bios that has a set of basic stuff you always insatll so you can install clean and the chip with add what you need by default and then you can swap it back to a regular bios, once your PC is set up.
Oh no, I totally agree it’s a huge security risk. All it would take is for the ftp server that services the files that would update that section of the BIOS to be compromised to do exactly as you say.
It would be much better if they had it off by default, and the Marketing team advertised it as a feature of the board, something like Driver Store or whatever and be something that has to be explicitly enabled and setup.
I would agree with you that it is useless for the enterprise, but realistically, would an enterprise be buying all the individual PC parts and putting them together? Nah, they’d just buy OEM PCs from Dell or HP in bulk and mass deploy them, both from lower total cost and for homogeneous deployments to reduce troubleshooting issues with specific hardware.
The Driver Store bit I think would be neat for individuals who are building their PC and just don’t want to deal with Drivers on later installs/reinstalls.
From what I understand the exe is not on the board ever. It´s being downloaded sometime before it´s needed for the installation. Kinda like you can update your asus bios via the internet instead of an USB stick.
It´s optional too, so I don´t see that being a big deal. In theory there would be an attack vector when someone get´s hold of your router and can change the DNS service to a custom one that uses a different Server instead of the Asus one. I´d imagine it´s not actually all that easy to pull this off. First gotta probably reverse engineer what those ASUS servers are doing and then gain access to your router to then change the DNS.
This does not really look like bloatware. It´s a software that installs and updates all the drivers your asus board needs to function properly. I can see it being convinient if you intend to use it. Otherwise you can turn it off.
I’ll also point out that not a single Techtuber is talking about this. A search for “ASUS Z390 Bloatware” on YouTube ends up with fully SEO optimized results from all the top techtubers about how good the mobos are without diving into why this is.
@wendell, you could be the first to investigate this claim. And to see if the infosec claims I’m making hold weight.