April’s MSI hack led to the distribution of Intel Boot Guard keys on the dark web. The leak allows malicious actors to create UEFI/BIOS firmware that gets past a key security layer on countless PCs.

A ransomware attack led to the loss of 1.5 terabytes of data at MSI in April, which the attackers said included source code. The Taiwanese PC components manufacturer refused to transfer $4 million (3.6 million euros) to a ransomware gang calling itself “Money Message.” MSI advised users after the attack to only download UEFI/BIOS updates from the official website. Not without reason: it has become clear that Intel Boot Guard keys were also stolen in the hack.

Intel Boot Guard keys act as a “signature” for legitimate MSI firmware. They serve to ensure that the boot procedure of an Intel system is secure and malware does not affect the UEFI/BIOS firmware. Bypassing this gives a user much more access than just taking over a Windows system: for example, it would be much easier to get at secure data with tampered firmware. CEO of security group Binarly Alex Matrosov states that 116 MSI products use the leaked Intel Boot Guard keys. However, the damage could potentially be more extensive.

Boot Guard, Secure Boot

It is not possible to eliminate this problem even if every potentially vulnerable device is patched. The reason is that the Intel keys are “branded” into the ACM hardware on the motherboard, so they cannot be replaced. Products from manufacturers other than MSI can also be compromised, as they can use the same keys.

UEFI/BIOS security received additional social attention with the launch of Windows 11. Those who wanted to upgrade to the latest Microsoft operating system had to enable Secure Boot. In this way, the tech giant wanted to guarantee that only allowed binaries could run on Windows systems. This security measure is separate from Intel Boot Guard. However, Secure Boot keys have already leaked as well. In 2016, Microsoft accidentally published a Secure Boot “golden key” policy that could never be fully patched. Indeed, various backups and devices depend on these policies.

The ransomware hack at MSI can also be criticized. How could such sensitive information ever be stolen?

What is secure?

So what is secure? We can at least state that hardware-based keys will always be susceptible to a leak, no matter how highly secured. In addition, it is impossible to correct this security measure on the fly for any vulnerabilities yet. A hardware-based lock seems extremely secure, but in practice cannot be considered permanently reliable unless almost no one has access to the access keys. Thus, a security key of this kind can only function as additional support, not as the ultimate solution for UEFI/BIOS security.

So the advice for users is obvious: don’t install untrusted firmware. Yet cybercriminals have proven time and again that unwary victims can be found. There will always be people who can be urged to install malware on their system. Still, the bar is a bit higher with a UEFI/BIOS firmware. After all, most users will perform such an update only in very specific cases. The aforementioned upgrade to Windows 11 could be a reason, or to fix, for example, failing USB ports that sometimes happened with earlier AMD Ryzen chips.

MSI and Intel have not yet responded to the leak of the Boot Guard keys. According to security researcher Mark Ermolov, all of Intel’s CSME security mechanisms may have been affected by the leak, rendering Intel Boot Guard ineffective security for 11th-, 12th- and 13th-generation Intel processors.