Insecure Code vs. RBG industry

[LadyCrimson]

Could anyone tell me if this is a serious potential problem - that is, more than any other average potential problem the 'net sometimes like to fear-monger about - to someone who only has the small bits of RGB forced on them on their GPU/mobo, only uses their gpu oc/fan control software and doesn't randomly surfs/downloads anything etc? Also, I'm not on Win11 yet. My KB has some rgb but I didn't ever specifically install any software for it. It backlights the keys without any. When I had the cpu ez-watercooler it came with icue, but it's been uninstalled since it broke.

There was a user thread on linustechtips 5-6 years ago talking about this being a security backdoor I think, long before this video.
https://linustechtips.com/topic/1107122-rgb-is-a-massive-security-backdoor/

eg, I don't understand.

 

 

 

[majestic]

  On 4/17/2025 at 11:37 PM, LadyCrimson said:

Could anyone tell me if this is a serious potential problem - that is, more than any other average potential problem the 'net sometimes like to fear-monger about - to someone who only has the small bits of RGB forced on them on their GPU/mobo, only uses their gpu oc/fan control software and doesn't randomly surfs/downloads anything etc? Also, I'm not on Win11 yet. My KB has some rgb but I didn't ever specifically install any software for it. It backlights the keys without any. When I had the cpu ez-watercooler it came with icue, but it's been uninstalled since it broke.

There was a user thread on linustechtips 5-6 years ago talking about this being a security backdoor I think, long before this video.
https://linustechtips.com/topic/1107122-rgb-is-a-massive-security-backdoor/

eg, I don't understand.

Expand  

The short answer is simply: yes, it is, and it has been known for a while.

The longer answer is that there are actually two issues. The first one is that WinRing0 is a generic driver capable of working in Windows' Ring 0 (hence the name), i.e. it is a function library/SDK pretending to be a Kernel Mode driver that allows regular application access to hardware that would otherwise be restricted. The reason why its use is so widespread is because it has an ages old legacy signature from a less interconnected and more naive time where security concerns and potential damages were not as great (and therefore cared about) as they are now. 

If you are a small developer team it was actually a good way to directly talk to hardware without going through the expensive and for many small teams unfeasible process of having to develop your own driver and having it digitally signed, meaning modern Windows versions would install and run it. It's a bit like Doctor Who's psychic paper insofar as that it lets software using it pretend to be trusted even if it should maybe not be.

If you want an (imperfect, but still, it is just meant to illustrate) analogy, imagine you have a house with a side entrance for trusted people and services (imagine that like an employee and delivery service entrance). In order to be allowed to use the side entrance companies need to register as trusted service contractors. This more or less guarantees - not beyond the shadow of any doubt, as problems an always crop up - that these service contractors are not going to wreck your building. Signing up as trusted contractor takes time and money and comes with significant bureaucratic hurdles. Smaller service contractors have a hard time applying for the permits, so WinRing0, a service contractor still registerted as trusted contractor with a registration from ages ago when the process was much simpler, basically gives out their access badge to anyone who asks them to. So, you give access to WinRing0 (by installing it on your lock system) and now every service contractor with a WinRing0 key can access your side entrance if they're invited to your estate.

That would already be bad enough and explains why Hiyohiyo thinks WinRing0 shouldn't even exist. There should not be a service out there that provides trusted access to your side entrance for anyone who wants it. The whole reason why your side entrance is locked and only trusted contractors are allowed in in the first place is provide a measure of security that WinRing0 simply bypasses. It would be much better for the provider of your locking system to actually come up with a secure and easy way to handle applications for keys (i.e. by Microsoft creating an API for RGB and fan controls). Still, there's the other issue, and arguably the actual problem: the version of WingRing0's lock and key system used by most contractors is broken in a way that allows the keys to not just open the side entrance and the areas you want to give them access to, but simply everything in your real estate, including highly sensitive areas like your jewelry lockbox, safe and filing cabinets. Thanks to the exploits and the fact that WinRing0 has not been maintained for years upon years outside of having the digital signature renewed it means that if you have the driver installed and a malicious piece of software like SteelFox finds its way onto your computer, it finds a readily and easily exploitable way to ASSUME DIRECT CONTROL over everything on your computer that potentially avoids every other security system you also have in place.

It does have a key to your system, after all. On its own, having WinRing0 installed doesn't mean you can get hacked from the outside. You still need to buzz the maintenance guy in through your gates before he can just use his keys to steal your data, passwords and cryptowallets. SteelFox doesn't magically appear on your computer, but it was and is widely distributed in cracks for software, for instance. You still need to run malicious software on your computer - but thanks to WinRing0 it can do its job in a way that you - and especially your anti-virus software - might not find suspicious if it isn't already aware of the specific code used.

Even if you only install software from trustworthy sources, you're not necessarily safe. There have been numerous occasions of compromised download servers and even Steam distributing malware through games. edit: your link provides a decent example, in some way. Gigabyte's mainboards used to come with an exploitable programm that quietly installed itself on your Windows if it was enabled in BIOS/UEFI (which it was by default) which could have been used to install malware without you even noticing. Pretty sure there are plenty of users with Gigabyte mainboards out there who don't even realize that they're sitting on a digital bomb.

You can run driverquery from the command prompt (win + r, type in cmd, hit enter) to see if you have it installed. If so, you would need to find out which software installed it and remove it.

There's some fun irony to be found in WinRing0's last version with a digital signature being one full of exploits as Hiyohiyo and others could not get signatures for maintained/fixed versions because Microsoft (understandably) made the process much harder to go through. It's the sort of thing that happens to Microsoft so often because the widespread use of their software means they need to carry an awful lot of legacy code and software with them. You're not going to sell your new version of Windows if it breaks everything your company needs to do its work, after all.

Edited April 19 by majestic

[LadyCrimson]

Well, of course nothing is 100% safe. The only way that would happen is by unplugging and never being part of internet anything again, including new appliances, phones, newer cars, tv's.  Maybe become a hermit in the woods.

There is a point however, where one can only do as much as one can, and then it's just fate or luck. eg, I have no backend control over Steam, or Amazon, or Neflix, or Obsidian forum software/servers, so I am not going to worry about that in any big fashion. You regularly back up anything you deem must have and the rest is crossing your fingers. It's kind of like anti-virus software. I haven't used one for more than a day (every one I tried felt like utter bloat and/or nigh spyware and I stopped bothering years ago), outside of Windows Defender on Win10, and have had no issue for decades. That is partially my general lack of 'net activity/other cautions (like better firewalls hubby sets up re: attacks in that direction), and partially luck. I have never plugged a net cable into the OLED TV and never will, it will remain "dumb" until it dies, etc.

I get a little confused with videos like the above, because it sounds like a big deal, and I'm sure technically it is, but outside of not installing a lot of RGB, fan control, other monitoring software (which I don't, outside of EVGA's precision)I am not sure how much I should worry about it vs "what you can do." I suppose such videos are more of a call to action re: the industry, trying to foster change? Which from the sound of it, should've been done more a long time ago.

it does sound like something to be more aware of when I build a new PC/brands/parts and their software.

And of course I'll be curious what happens with RGB/monitoring abilities in the future etc if they stop using this code.

[Bartimaeus]

My understanding is that it's like most vulnerabilities: a threat can use it for escalation, but it's not something where just because your computer has internet while also having this exploitable vulnerability, you're going to suddenly get hacked. The threat needs to already have a high level of access to your local system in order to exploit WinRing0 being present on it, so there are a few steps in between there.

Fun fact: most ransomwares don't even need admin privileges, much less the kernel-level access that WinRing0 gives. I'm a lot more worried about ransomwares than I am about WinRing0 - this doesn't mean turning a blind eye to any threat WinRing0 might pose, but I think WinRing0 should be low on your list of worries relative to, like, starting random .exes that you really shouldn't trust. And anyways, it sounds like Microsoft is trying to forcibly phase out WinRing0 as it is, which means developers are going to have to come up with different solutions that should reduce the possible attack surface.