MSI’s firmware, Intel Boot Guard private keys leaked

The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site.

MSI private keys leaked

The breach

MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.).

The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it.

In the wake of the breach, the company urged “users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website.”

Private keys for signing MSI firmware leaked

The Money Message group now says that MSI decided not to pay the asked-for ransom, so they started releasing the stolen data.

Binarly, a cybersecurity company specializing in firmware supply chain security, has analyzed the leaked source code and found private code signing keys for firmware images used on 57 MSI products, and private signing keys for Intel Boot Guard used on 116 MSI products.

What does that mean, exactly?

Obviously, given MSI’s previous warning to customers about getting firmware/BIOS updates only from its official website, the company is worried that attackers could compile malicious updates and sign them with the stolen keys. But attackers could also sign other malicious payloads with them, effectively foiling antivirus solutions.

Leaked Intel OEM private Key Manifest (KM) and Boot Policy Manifest (BPM) keys could be used to sign malicious firmware images so they could pass Intel Boot Guard’s verification. (Intel Boot Guard prevents the computer from running firmware/ UEFI images not signed with the original equipment manufacturer’s digital signature. The corresponding public key is fused into the system’s chipset by the manufacturer.)

MSI has still not officially commented the findings.

UPDATE (May 9, 2023, 04:50 a.m. ET):

Intel has stated it is actively investigating these reports.

In the meantime, Binarly pointed out that one of the leaked keys “has been detected on devices from HP, Lenovo, AOPEN, CompuLab, and Star Labs.”

Don't miss