A few weeks ago, major motherboard manufacturer MSI announced that it had suffered a cyberattack on part of its information systems. The company stated that the affected systems had gradually resumed normal operations, with no significant impact on financial business. However, the company urged users to obtain firmware/BIOS updates only from its official website, and not to use files from other sources. The announcement came two days after a cyberextortion gang, Money Message, claimed to have stolen MSI source code, BIOS development tools, and private keys. The criminals were in countdown mode, claiming they would “publish stolen data when timer expires,” which they did on 2023-04-07.
Researchers at vulnerability research company Binarly claim to have got hold of the data stolen in the breach and to have searched through it for embedded cryptographic keys. They have extracted numerous signing keys from the data in their possession, including 1 Intel OEM key, 27 image signing keys, and 4 Intel Boot Guard keys. These leaked keys apparently control run-time verification of firmware code for different MSI motherboards. Modern Intel-based motherboards can be protected by multiple layers of cryptographic safety. First comes BIOS Guard, which only allows code that’s signed with a manufacturer-specified cryptographic key to get write access to the flash memory used to store the Initial Boot Block (IBB). The IBB is where the first component of the motherboard vendor’s startup code lives. Subverting it would give an attacker control over an infected computer not only at a level below any operating system that later loads, but also below the level of any firmware utilities installed in the official EFI disk partition, potentially even if that partition is protected by the firmware’s own Secure Boot digital signature system.
After BIOS Guard comes Boot Guard, which verifies the code that’s loaded from the IBB. If the private keys that correspond to these safe-until-the-end-of-the-universe public keys are ever compromised, the burned-in public keys can never be updated. A debug-level OEM key provides a motherboard vendor with a way to take control over the firmware as it’s booting up. Intel’s documentation lists three debugging levels. Green denotes debug access allowed to anyone, which isn’t supposed to expose any low-level secrets or to allow the bootup process to be modified. Orange denotes full read-write debugging access allowed to someone who has the corresponding vendor’s private key. Red denotes the same as orange, but refers to a master private key belonging to Intel that can unlock any vendor’s motherboard. Binarly claims the crooks have now leaked an Orange Mode key that can enable low-level boot-time debugging on 11 different motherboards supplied by HP, Lenovo, Star Labs, AOPEN and CompuLab.
Binarly’s claims suggest that with a firmware signing key and a Boot Guard signing key, an attacker might not only be able to trick you and your firmware updating tools into installing what looks like a genuine firmware update in the first place but also be able to trick a motherboard that’s been hardware-locked via Boot Guard protection into allowing that rogue firmware to load, even if the update patches the Initial Boot Block itself. Being able to boot up a stolen computer in firmware debugging mode could allow an attacker to run or implant rogue code, extract secrets, or otherwise manipulate the low-level startup process to leave a victim’s computer in an untrusted, unsafe, and insecure state. In other words, you could end up not just with a rootkit but a bootkit. A rootkit is code that manipulates the operating system kernel to prevent the operating system from detecting, reporting, or preventing certain types of malware later on. A bootkit takes that approach further still, so that the low-level backdoor gets loaded as early and as undetectably as possible in the firmware bootstrap process, perhaps even before the computer examines and reads anything from the hard disk at all.
