{"id":21144,"date":"2023-05-30T18:30:12","date_gmt":"2023-05-30T14:30:12","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/msi-firmware-keys-leak\/21144\/"},"modified":"2023-05-30T18:30:12","modified_gmt":"2023-05-30T14:30:12","slug":"msi-firmware-keys-leak","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/msi-firmware-keys-leak\/21144\/","title":{"rendered":"MSI leak: tips for users, organizations, and developers"},"content":{"rendered":"

What could be worse than a ransomware attack on your company? Only an incident that hits your company\u2019s clients, I guess. Well, that\u2019s exactly what happened to MSI \u2014 the large Taiwanese manufacturer of laptops, video adapters and motherboards. In the beginning of April, word got out that the company was attacked by a new ransomware gang called Money Message<\/a>; a while later the extorters published a portion of the stolen information<\/a> on the darknet; then, in May, researchers discovered the most disturbing aspect to the leak \u2014 that private firmware-signing keys and Intel Boot Guard keys<\/a> had been make public. MSI went public<\/a> regarding the leak, but presented very little information \u2014 even omitting the subject of keys completely. Here, we try to give you a bit more context\u2026<\/p>\n

Boot Guard keys, and how they protect your computer<\/h2>\n

Even before its operating system boots up, your computer performs many preparatory operations upon instructions from a motherboard chip. In the past, the mechanism was called BIOS<\/a>, until it was replaced by the expandable UEFI<\/a> architecture. UEFI code is stored in the firmware, but extra modules can be loaded from a special hard-drive partition. Next, UEFI boots up the operating system itself. If UEFI is maliciously modified, the operating system, user apps and all security systems will start up under the control of the malicious code. The attackers will be able to circumvent all further layers of defense, including BitLocker, Secure Boot and the OS-level security systems, such as anti-viruses and EDR.<\/p>\n

Referred to as BIOS-level implants (sometimes also \u201chardware bootkits<\/a>\u201c), such threats are very hard to detect \u2014 and even harder to get rid of: you can\u2019t purge your PC of them even by replacing your hard drive with a brand new one.<\/p>\n

Computer and OS vendors have developed a variety of safeguards to make it as difficult as possible for threat actors to devise such dangerous threats. First, to update firmware and make additions to UEFI one needs an app signed by the vendor: Intel BIOS Guard doesn\u2019t allow updating UEFI from untrusted apps or using unsigned firmware. Second, there\u2019s a hardware verification mechanism called Boot Guard. The technology checks the signature of the opening part of UEFI (IBB \u2014 Initial Boot Block) and aborts the computer boot if the firmware has been tampered with. Boot Guard\u2019s cryptographic keys used to verify these protection mechanisms are stored in a special write-once memory, meaning they can\u2019t be deleted or rewritten (in turn meaning they can\u2019t be falsified or replaced), while at the same time they can\u2019t be revoked if compromised!<\/p>\n

What\u2019s so dangerous about an MSI key leak?<\/h2>\n

A firmware-signing keys leak may allow threat actors to create update utilities and rogue firmware capable of successfully passing verifications with the potential to update microprograms on MSI motherboards. Such keys can be revoked, so after a while (actually, we\u2019re talking months if not years!) the problem will become irrelevant \u2014 if legitimate updates are applied in a secure way. The situation is much worse with Boot Guard keys, since these can\u2019t be revoked. Moreover, according to Binarly, these keys can be used even in some products manufactured by vendors other than<\/a> MSI. This disrupts the secure-boot trust chain for all products relying on these keys, leaving device owners with no other option but to ramp up third-party protective measures and keep using them that way until the products cease being used.<\/p>\n

Tips for MSI device users<\/h2>\n

First off, check if your computers are endangered. If you have an MSI computer or laptop, the threat is there, but even computers from other vendors may have MSI motherboards. Here\u2019s how you can check this:<\/p>\n