Boot Guard Keys From MSI Hack Posted, Endangering PCs. (Update: Intel Responds)

Intel Boot Guard keys leaked
(Image credit: MSI)

Files purloined during the substantial MSI hack last month have started to proliferate around the dark web. One of the more worrying things spotted among the digital loot is an Intel OEM private key. MSI would have used this to sign its firmware/BIOS updates to pass Intel Boot Guard verification checks. Now hackers can use the key to sign malicious BIOS, firmware and apps, which will look entirely like official MSI releases.

Update (5/8/2023): Intel has now issued a statement, nothing that the keys are generated by the OEM (MSI) not Intel itself.

“Intel is aware of these reports and actively investigating. There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel® BootGuard. It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”

In the wake of being hacked last month, MSI began to urge customers to source firmware/BIOS updates exclusively from its official website. The well known PCs, components and peripherals firm was being extorted by a ransomware group called Money Message. Apparently the extortionists had swiped 1.5TB of data, including various source code files, private keys, and tools to develop firmware. Reports said that Money Message were asking for over four million dollars, to return the entirety of the data back to MSI. Over a month has passed, and it looks like MSI hasn't paid up. Therefore, we are now seeing the fallout.

Intel Boot Guard ensures that PCs only can run verified apps before boot. In a white paper about 'below-the-OS-security (PDF), Intel talks with some pride about its BIOS Guard, Boot Guard, and Firmware Guard technologies. Boot Guard is a "key element of hardware-based boot integrity that meets the Microsoft Windows requirements for UEFI Secure Boot." Sadly, it is not longer going to be a useful 'guard' for a wide range of MSI systems.

Intel Boot Guard, part of Intel Hardware Shield (Image credit: Intel)

Tweets published by Binarly (a supply chain security platform) and its founder Alex Matrosov, neatly spell out the dangers presented by this leak of Boot Guard keys and other data in the MSI haul. A GitHub page linked by Binarly lists the 57 MSI PC systems which have had firmware keys leaked, and the 166 systems which have had Intel Boot Guard BPM/KM keys leaked.

If you care to look through the lists of affected machines, you will see all the familiar MSI series, such as Sword, Stealth, Creator, Prestige, Modern, Cyborg, Raider, Titan. Owners of these systems with Intel Core 11th Gen Tiger Lake CPUs or newer will have to strictly adhere to MSI-site only updates.

In addition to the Boot Guard worries, it is possible that hackers will try and phish users into heading to a fake MSI site or downloading fake MSI apps. These apps can now be signed and will appear to genuinely be from MSI, so could execute without triggering your AV.

This leak has certainly made a mess, and it isn't clear whether the leaked keys can be revoked, or what the next steps from parties involved will be. At the time of writing we haven't seen any official reaction from MSI or Intel regarding the files which are now going public. Please avoid checking the stolen files on the dark web or other sources, as they might now be laced with malware. 

Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • punkncat
    Is Afterburner going to have issues as a result of this breach?

    For instance, if you had already installed it, you can or cannot trust the auto-updates it wants to do from time to time?
    Reply
  • TechieTwo
    This is why hackers should go to prison for 50 years, be fined millions and lose all personal and business assets to repay those impacted by their hack.
    Reply
  • hotaru251
    punkncat said:
    Is Afterburner going to have issues as a result of this breach?
    most likely not when gotten from official site. Only risk if they can hack update server (which likely isnt gonna be easy as if they knew was risk they'd change up security)

    personally happy im running amd build not intel (so this wont effect me mainly)
    Reply
  • gregss
    Can't the keys which have been leaked be revoked?
    Reply
  • jonathan1683
    gregss said:
    Can't the keys which have been leaked be revoked?
    I was wondering the same, but it might be read only for security. I think if it was possible they would have already done it before the announcement of the breach.
    Reply
  • Alvar "Miles" Udell
    The real problem will be that since laptops are far less likely to receive BIOS updates than desktops, mostly because they're one off things, how many affected machines will never be updated to blacklist the affected keys, assuming they can be anyway? It's always possible their sites are hacked and malware programs inserted in them, like what happened with CCleaner, and even more reasonable that their forums and others are seeded with so called "beta updates" and such from imposters using the stolen keys to install malware.
    Reply
  • derekullo
    TechieTwo said:
    This is why hackers should go to prison for 50 years, be fined millions and lose all personal and business assets to repay those impacted by their hack.
    Hard to repay millions when you are locked in prison for 50 years.
    Reply
  • Kamen Rider Blade
    TechieTwo said:
    This is why hackers should go to prison for 50 years, be fined millions and lose all personal and business assets to repay those impacted by their hack.
    Life in Prison w/o parole options, strip them of all their financial & personal/business assets, be up for "Death Penalty" 'ASAP'.
    Reply
  • digitalgriffin
    Why why why do major companies NOT keep the keys to the company on air gapped systems? Why?!?

    Now they will have to invoke an update invalidating the old keys.

    But what's worse is if a virus gets past av software, it can generate and implant it's own bios and prevent future updates to fix corruption.

    Dumbasses
    Reply
  • digitalgriffin
    gregss said:
    Can't the keys which have been leaked be revoked?
    Yes. But it requires a bios update to do that. 99% of people don't.
    Reply