Intel is investigating the leak of alleged personal keys utilized by the Intel Boot Guard safety characteristic, doubtlessly impacting its potential to dam the set up of malicious UEFI firmware on MSI gadgets.
In March, the Cash Message extortion gang attacked pc {hardware} make MSI, claiming to have stolen 1.5TB of knowledge through the assault, together with firmware, supply code, and databases.
As first reported by BleepingComputer, the ransomware gang demanded a $4,000,000 ransom and, after not being paid, started leaking the info for MSI on their knowledge leak website.
Final week, the menace actors started leaking MSI’s stolen knowledge, together with the supply code for firmware utilized by the corporate’s motherboards.
Supply: BleepingComputer
Intel Boot Guard impacted by assault
On Friday, Alex Matrosov, the CEO of firmware provide chain safety platform Binarly, warned that the leaked supply code incorporates the picture signing personal keys for 57 MSI merchandise and Intel Boot Guard personal keys for 116 MSI merchandise.
“Intel is conscious of those stories and actively investigating. There have been researcher claims that personal signing keys are included within the knowledge together with MSI OEM Signing Keys for Intel® BootGuard,” Intel advised BleepingComputer in response to our questions concerning the leak.
“It must be famous that Intel BootGuard OEM keys are generated by the system producer, and these aren’t Intel signing keys.”
Matrosov stated that this leak could have precipitated Intel Boot Guard to not be efficient on MSI gadgets utilizing “eleventh Tiger Lake, twelfth Adler Lake, and thirteenth Raptor Lake” CPUs.
“We have now proof the entire Intel ecosystem is impacted by this MSI knowledge breach. It is a direct menace to MSI prospects and sadly not solely to them,” Matrosov advised BleepingComputer Friday afternoon.
“The signing keys for fw picture permit an attacker to craft malicious firmware updates and it may be delivered by way of a standard bios replace course of with MSI replace instruments.”
“The Intel Boot Guard keys leak impacts the entire ecosystem (not solely MSI) and makes this safety characteristic ineffective.”
Intel Boot Guard is a safety characteristic constructed into trendy Intel {hardware} designed to forestall the loading of malicious firmware, often called UEFI bootkits. It’s a essential characteristic used to satisfy Home windows UEFI Safe Boot necessities.
It’s because malicious firmware masses earlier than the working system, permitting it to cover its actions from the kernel and safety software program, persist even after an working system is reinstalled, and assist set up malware on compromised gadgets.
To guard in opposition to malicious firmware, Intel Boot Guard will confirm if a firmware picture is signed utilizing a professional personal signing key utilizing an embedded public key constructed into the Intel {hardware}.
If the firmware could be verified as legitimately signed, Intel Boot Guard will permit it to be loaded on the system. Nonetheless, if the signature fails, the firmware is not going to be allowed to load.
Supply: Binarly
The largest drawback with this leak is that the general public keys used to confirm firmware signed utilizing the leaked keys are believed to be constructed into Intel {hardware}. In the event that they can’t be modified, the safety characteristic is now not reliable on gadgets utilizing these leaked keys.
“The Manifest (KM) and Boot Coverage Manifest (BPM) personal keys have been discovered within the leaked MSI supply code. These keys are used for Boot Guard know-how which supplies firmware picture verification with a {hardware} Root of Belief,” warns Binarly in an advisory shared on Twitter.
“The hash OEM Root RSA public key from the KM supervisor is programmed into chipset’s Discipline Programmable (FPFs). The primary objective of the KM is to retailer the hash of an RSA public key from the BPM which in flip incorporates the data on the Boot Coverage, Preliminary Boot Block (IBB) description and it is hash.”
“The leaked personal elements of the talked about keys permits a possible attacker to signal the modified firmware for this system, so it could cross Intel Boot Guard’s verification making this know-how fully ineffective.”
Whereas these keys is not going to possible be useful to most menace actors, some expert attackers have beforehand used malicious firmware in assaults, comparable to CosmicStrand and BlackLotus UEFI malware.
“Now the characteristic could be compromised and attackers can craft malicious firmware updates on impacted gadgets with out concern about Intel Boot Guard,” Matrosov stated in a ultimate warning shared with BleepingComputer
Binarly has launched an inventory of impacted MSI {hardware}, comprising 116 MSI gadgets reportedly compromised by the leaked Intel Boot Guard keys.
BleepingComputer has additionally contacted MSI and Intel with additional questions, however a response was not instantly out there.
Replace 5/8/23: Added assertion from Intel