Apr 07, 2023
Boot Guard Keys From MSI Hack Posted, Endangering PCs. (Update: Intel Responds)
It looks like MSI didn't pay the ransom, so its files are being shared on the
It looks like MSI didn't pay the ransom, so its files are being shared on the dark web.
Files purloined during the substantial MSI hack last month have started to proliferate around the dark web. One of the more worrying things spotted among the digital loot is an Intel OEM private key. MSI would have used this to sign its firmware/BIOS updates to pass Intel Boot Guard verification checks. Now hackers can use the key to sign malicious BIOS, firmware and apps, which will look entirely like official MSI releases.
Update (5/8/2023): Intel has now issued a statement, nothing that the keys are generated by the OEM (MSI) not Intel itself.
"Intel is aware of these reports and actively investigating. There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel® BootGuard. It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys."
In the wake of being hacked last month, MSI began to urge customers to source firmware/BIOS updates exclusively from its official website. The well known PCs, components and peripherals firm was being extorted by a ransomware group called Money Message. Apparently the extortionists had swiped 1.5TB of data, including various source code files, private keys, and tools to develop firmware. Reports said that Money Message were asking for over four million dollars, to return the entirety of the data back to MSI. Over a month has passed, and it looks like MSI hasn't paid up. Therefore, we are now seeing the fallout.
Intel Boot Guard ensures that PCs only can run verified apps before boot. In a white paper about 'below-the-OS-security (PDF), Intel talks with some pride about its BIOS Guard, Boot Guard, and Firmware Guard technologies. Boot Guard is a "key element of hardware-based boot integrity that meets the Microsoft Windows requirements for UEFI Secure Boot." Sadly, it is not longer going to be a useful 'guard' for a wide range of MSI systems.
Tweets published by Binarly (a supply chain security platform) and its founder Alex Matrosov, neatly spell out the dangers presented by this leak of Boot Guard keys and other data in the MSI haul. A GitHub page linked by Binarly lists the 57 MSI PC systems which have had firmware keys leaked, and the 166 systems which have had Intel Boot Guard BPM/KM keys leaked.
If you care to look through the lists of affected machines, you will see all the familiar MSI series, such as Sword, Stealth, Creator, Prestige, Modern, Cyborg, Raider, Titan. Owners of these systems with Intel Core 11th Gen Tiger Lake CPUs or newer will have to strictly adhere to MSI-site only updates.
In addition to the Boot Guard worries, it is possible that hackers will try and phish users into heading to a fake MSI site or downloading fake MSI apps. These apps can now be signed and will appear to genuinely be from MSI, so could execute without triggering your AV.
This leak has certainly made a mess, and it isn't clear whether the leaked keys can be revoked, or what the next steps from parties involved will be. At the time of writing we haven't seen any official reaction from MSI or Intel regarding the files which are now going public. Please avoid checking the stolen files on the dark web or other sources, as they might now be laced with malware.
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Mark Tyson is a Freelance News Writer at Tom's Hardware US. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.
US Military Drone AI Simulation Reportedly Turned on Its Human Operator
NSA, Microsoft Issue Critical Cyberthreat Report to US Infrastructures Backed by Chinese State-Sponsored Actor
AMD Extends Jedi CPU Bundle, Launches New Resident Evil 4 GPU Deal, $50 off 7900X3D
By Stewart BendleJune 05, 2023
By Aaron KlotzJune 05, 2023
By Mark TysonJune 05, 2023
By Anton ShilovJune 05, 2023
By Mark TysonJune 05, 2023
By Ash HillJune 05, 2023
By Ash HillJune 05, 2023
By Mark TysonJune 04, 2023
By Mark TysonJune 04, 2023
By Ash HillJune 04, 2023
By Ash HillJune 04, 2023