Intel is investigating reports that BootGuard private keys were leaked online following MSI's ransomware attack last month.
Intel BootGuard is a hardware-based technology that prevents the computer from running firmware images not released by the system manufacturer. When turned on, the processor verifies a signature contained in the firmware image before executing it, using the hash of the public half of the signing key, which is fused into the system’s Platform Controller Hub (PCH) by the system manufacturer (not by Intel).
In April, Taiwanese hardware manufacturer Micro-Star International (MSI) disclosed a cyberattack impacting some of its systems and urged users to obtain firmware/BIOS updates only from its official website.
The company’s alert was published after reports emerged that the Money Message ransomware group listed the hardware giant on their data leak website, claiming to have stolen roughly 1.5TB worth of documents from MSI's network. The gang threatened to leak the allegedly stolen data if the company refuses to pay a $4 million ransom.
As proof of the alleged theft the group posted screenshots of what was described as MSI’s Enterprise Resource Planning (ERP) databases and files containing software source code, private keys, and BIOS firmware.
Data from MSI’s breach was apparently leaked last week, according to security vendor Binarly.
“Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel BootGuard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake,” the company tweeted.
The BootGuard keys from MSI are said to affect several device manufacturers, including Intel, Lenovo and Supermicro. Binarly shared a list of MSI products and other software signing keys compromised by the incident.
An Intel’s spokesperson said that the company is aware of reports of the leak and is actively investigating, adding that “Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”
The leak poses a significant cybersecurity risk, as threat actors can use these keys to bypass the BootGuard technology and gain full system access, steal sensitive data, and perform other illicit activities unnoticed. However, the experts say that the bigger problem here is that the public signing keys are believed to be built into Intel hardware and there’s no easy way of revoking the keys, or generating new private-public key pairs for existing machines.
