MSI 被駭客攻擊後, 英特爾調查洩漏的英特爾 Boot Guard 私鑰

Intel is investigating hackers’ claims that they have stolen MSI’s private keys used by the Intel Boot Guard. The fact is that such a leak may affect the ability to block malicious UEFI versions on MSI devices.

As it became known in early April 2023, the extortionate group Money Message announced that the Taiwanese manufacturer MSI (Micro-Star International) had been hacked. According to media reports, extortionists stole approximately 1.5 TB of data from the company and demanded a ransom of $4,000,000.

The attackers wrote that they had at their disposal “the MSI source code, including the BIOS development framework”, as well as “private keys that allow you to sign any custom module of this BIOS and install it on a PC with this BIOS.”

Let me remind you that we also wrote that Secure Boot Is Not Working on MSI Motherboards for over a Year. Also the media wrote that Fake MSI Afterburner Infects Users’ Machines with Miners and Stealers.

As Bleeping Computer now reports, the hackers did not receive a ransom from the company and began to publish stolen information in the public domain, including the source code for the firmware used by MSI motherboards.

Late last week, Binarly CEO Alex Matrosov warned that the leak contained image signing private keys 為了 57 MSI products and Intel Boot Guard private keys for 116 MSI products.

Matrosov explains that such a leak could result in Intel Boot Guard not working on MSI devices using Tiger Lake, Adler Lake, and Raptor Lake processors. Additionally, MSI’s Boot Guard keys appear to be affecting several device manufacturers, including Intel, Lenovo, 和 Supermicro.

We have evidence that the MSI data breach affected the entire Intel ecosystem. This is a direct threat to MSI customers and, unfortunately, not only to them. Signing keys for fw images allows attackers to create malicious firmware updates that can be delivered using the normal BIOS update process and MSI update tools. Leaking Intel Boot Guard keys affects the entire ecosystem (not just MSI) and renders this protective feature useless.the expert says.

The protective function Intel Boot Guard, built into modern Intel hardware, is designed to prevent the loading of malicious firmware, that is, UEFI bootkits, and is one of the main requirements of Windows UEFI Secure Boot.

The fact is that malicious firmware is loaded before the OS is loaded, which allows it to hide its activity from security software and remain present on the device even after reinstalling the operating system. To protect against this, Intel Boot Guard verifies that the firmware image is signed with a legitimate private signing key using the public key built into the Intel hardware.

The worst thing about the leak is that the public keys used to verify firmware signed with the now compromised keys are embedded in the Intel hardware. If they cannot be changed, Intel Boot Guard protection can no longer be relied upon.

Intel representatives told the media that they are aware of these expert warnings, and the company is already conducting its own investigation.

Researchers claim that the leaked data includes private keys, including MSI OEM signing keys for Intel® BootGuard. It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer and are not Intel Signing Keys.say in the company

Supermicro representatives say they have also looked into the potential risks associated with this leak, and the company is confident that its products are not affected.

Binarly analysts have already published a list of affected MSI hardware, which includes 116 devices compromised as a result of leaked Intel Boot Guard keys.