MSI Breach Leaks Intel BootGuard & OEM Image Signing Keys, Compromises Security of Over 200 Devices & Major Vendors

erek

erek

[H]F Junkie
Joined
Dec 19, 2005
Messages
10,875
Breached

“According to Alex Matrosov, the CEO of BINARLY, the leak is confirmed to include Intel's private keys for OEM devices. Furthermore, the BootGuard may not be as effective on devices based on 11th-Gen Tiger Lake, 12th-Gen Alder Lake, and 13th-Gen Raptor Lake platforms. The leak also affects all OEM signing-based mechanisms within CSME (Converged Security and Management Engine) as stated by Alex. Intel and its partners who are affected by this leak have to to comment on how they plan on tackling this major security flaw that's occured through this breach.”

1683377648294.png

Source: https://wccftech.com/msi-breach-lea...s-security-of-over-200-devices-major-vendors/
 
I am surprised that this type of information does not reside on air-gapped systems, as they are designed to prevent data breaches by isolating sensitive information from the internet and other connected devices. While user error and malicious insiders cannot be entirely eliminated, air-gapping systems certainly minimize the risk of such scenarios occurring.
 
Hakaba said:
I am surprised that this type of information does not reside on air-gapped systems, as they are designed to prevent data breaches by isolating sensitive information from the internet and other connected devices. While user error and malicious insiders cannot be entirely eliminated, air-gapping systems certainly minimize the risk of such scenarios occurring.
Click to expand...
They are supposed to be as well as encrypted using a credential set separate from the main one used for the organization. MSI seems to be just that much more incompetent than anybody gave them credit for.
 
Hakaba said:
I am surprised that this type of information does not reside on air-gapped systems, as they are designed to prevent data breaches by isolating sensitive information from the internet and other connected devices. While user error and malicious insiders cannot be entirely eliminated, air-gapping systems certainly minimize the risk of such scenarios occurring.
Click to expand...
Not if the people responsible have air-gapped ears
 
Prince Valiant said:
Spectacular bungling, thanks for the heads up.
Click to expand...
Hakaba said:
I am surprised that this type of information does not reside on air-gapped systems, as they are designed to prevent data breaches by isolating sensitive information from the internet and other connected devices. While user error and malicious insiders cannot be entirely eliminated, air-gapping systems certainly minimize the risk of such scenarios occurring.
Click to expand...
Lakados said:
They are supposed to be as well as encrypted using a credential set separate from the main one used for the organization. MSI seems to be just that much more incompetent than anybody gave them credit for.
Click to expand...
michalrz said:
Not if the people responsible have air-gapped ears
Click to expand...
with all the breachers i couldn't even tell if this was news or old
 
erek said:

Intel Deploys Undisclosed Microcode Security Update For CPUs Going Back To Coffee Lake​


https://www.tomshardware.com/news/intel-microcode-security-update
Click to expand...

Doubtful if that microcode update addresses this key leak. Intel cpu microcode updates are loaded into the cpu during the boot process, usually by bios software or the operating system. But this key is used to sign firmware images so if your signing malicious firmware, you would leave out the cpu micricide updates that revoke the key you use, and it will be much to late when the OS tries to update microcode. (Edit: switch from 'cpu firmware' to 'microcode update' so I'm using the best words)
 
Last edited:
toast0 said:
Doubtful if that firmware update addresses this key leak. Intel cpu firmware is loaded into the cpu during the boot process, usually by bios software or the operating system. But this key is used to sign firmware images so if your signing malicious firmware, you would leave out the cpu firmware updates that revoke the key you use, and it will be much to late when the OS tries to update firnware
Click to expand...
Oh, hmm 🤔 🧐
 
Lakados said:
They are supposed to be as well as encrypted using a credential set separate from the main one used for the organization. MSI seems to be just that much more incompetent than anybody gave them credit for.
Click to expand...
This level of incompetency is something where Intel should revoke MSI ability to make Intel based mobo's until they clean their act up as they have just caused major potential damage to the entire intel user base. hit em where it hurts, in their bottom line.
 
MrGuvernment said:
This level of incompetency is something where Intel should revoke MSI ability to make Intel based mobo's until they clean their act up as they have just caused major potential damage to the entire intel user base. hit em where it hurts, in their bottom line.
Click to expand...
It’s too late, MSI doesn’t even know which keys were compromised because the bad people wiped the database on the way out. Intels only option would be to revoke all keys they have ever assigned MSI. Which would screw over anybody with an MSI board.
 
MrGuvernment said:
This level of incompetency is something where Intel should revoke MSI ability to make Intel based mobo's until they clean their act up as they have just caused major potential damage to the entire intel user base. hit em where it hurts, in their bottom line.
Click to expand...
Why the hell is Intel using the same security keys for all OEM's? They should all have their own keys so that when shit like this happens, only the breached companies' brand is affected.
 
GoodBoy said:
Why the hell is Intel using the same security keys for all OEM's? They should all have their own keys so that when shit like this happens, only the breached companies' brand is affected.
Click to expand...
It is just MSI, Intel knows which keys MSI has and they are different from Asus, or ASRock. But MSI made OEM boards for Dell, HP, and Lenovo too so MSI doesn’t know which keys were compromised and no longer knows where the keys were used. It’s a massive shit show.
 
I read the article on Ars about this, and I have to admit I don't understand the attack vector here at all.

They keep harping on update I jectio , but since when do hardware manufacturers ever push updates to systems?

The only thing they provide are drivers and firmware on their website that you go and download manually if you need them?

I mean, some manufacturers have update software you can install on your machine, but who the hell I stalls that crap? It's just bloat, that is potentially also spyware.
 
Zarathustra[H] said:
I read the article on Ars about this, and I have to admit I don't understand the attack vector here at all.

They keep harping on update I jectio , but since when do hardware manufacturers ever push updates to systems?

The only thing they provide are drivers and firmware on their website that you go and download manually if you need them?

I mean, some manufacturers have update software you can install on your machine, but who the hell I stalls that crap? It's just bloat, that is potentially also spyware.
Click to expand...
It would be a 3 pronged attack, and not a terribly simple one at that.
The significance of it though is pretty massive, because once a trust chain is broken working to re-secure it is harder than not, so it is a race for them to clean the mess before somebody can expand or simplify the attack vector.
The compromised security keys would let the bad actor "verify" the file so a user on install would not get this prompt.
1688331320753.png

Additionally, MSI, Gibabyte, ASUS, and the rest all install a background updater on windows install, it's part of the firmware driver, that updater makes their file updates available in the optional updates section of Windows update.
An attacker using the compromised keys, could publish a compromised driver or generic service file and flag it as an update, then using a DNS redirection attack make it seem like there was service or driver update for the MSI system and that update would pass the windows verification check and then present itself to the user in the optional section of the Windows Update page and because the key checks out would proceed to install it with no warnings.

Not exactly a simple attack, but the fact it does exist at all is a big problem.
 
You must log in or register to reply here.
Back
Top