Podcast
Root Causes 302: Intel Secure Boot Private Key Leak
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
May 12, 2023
Resulting from a recent ransomware attack, a private key from Intel has been exposed, affecting hundreds of OEM components and an unknown number of end user products. We explain what happened and its possible implications.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanWe have a news item here. I am looking at an article from Security Online. That’s at securityonline.info, it’s May 6, 2023. The article’s by Do Son and it reads, Intel OEM Private Key Leak a Blow to UEFI Secure Boot Security. So, Jason, yes. Intel private security private key leak. What happened here?
Jason SorokoIt looks like in April of this past year, 2023, MSI, which is a motherboard maker - I’m just trying to remember my many years of making PCs, whether I used MSI. I think I did. Good company. Anyway, they apparently suffered a ransomware attack, and, asked to pay a fairly large ransom. Either it didn’t happen or - -Tim CallanFor a million dollars and they said no.Jason Soroko- - didn’t happen - - for a million dollars and so, result was it looks like the ransomware attackers leaked data that was captured as part of the attack. Part of that data happened to include a UEFI secure boot private key, which is bad news for anybody who happens to be using that UEFI secure boot technology.Tim CallanAnd now this is interesting because this is actually Intel’s private key that the OEM, MSI, was in possession of. Is that correct?Jason SorokoThat makes sense because typically, the secure boot technology, – Intel does make its own motherboards, but it quite often will supply firmware, software, all the things that are needed to make a motherboard work, especially because the heart of the motherboard will often be somebody’s EC chip. And in this case, it looks like it was related to Intel-based motherboard made by MSI; therefore, having secure boot technologies written by Intel. So.Tim CallanAnd so, there’s a suggestion in this story that “at least 166 MSI products” are going to be adversely affected by this.Jason SorokoThat’s a lot.Tim CallanThat’s a lot. That’s a big deal. So, like, what does this mean? What does this mean to the owners of those products? What does this mean to the company that sells those products? What are the implications of this?Jason SorokoSure. Why do you have secure boot on a motherboard anyway? It’s basically to ensure that when the operating system of the motherboard is starting up, which then, of course, triggers everything else to start running on a PC, including the user space whether it’s Windows or Linux or whatever operating system you happen to be using – the initial bootup of the motherboard itself, quite often same exact ID even an IoT devices, very small devices, it doesn’t have to be a PC – it can even be – think of your mobile devices, they also have their own secure boot sequences. And the secure boot is meant to protect the integrity and genuineness of the entire chain of events that happens after that. So, think about the internal boot within the motherboard, the secure boot is making sure that the sequence of that loading is using genuine software that was intended from the factory. So, before secure boot was common and believe me, it wasn’t common, and I still don’t think it is truly. I could be wrong, but even in 2023, I think a lot of people are running around with PCs that don’t have some kind of secure boot and back in the days before UEFI, there really was nothing at all. Some people could say otherwise, but my experience was that the secure boot was rare. And, Tim, there were so many talks at Black Hat and DFCON, and all your favorite security conferences about, various kinds of attacks that would occur at the boot sequence to put in malicious code very early on, so therefore, you were essentially running the bad guys’ software and then all the rest of the chain of events that would be occurring could be compromised. And that would include especially things such as, is your hard drive encrypted? Well, without secure boot protecting the boot sequence who knows what’s touching the hard drive and if it’s encrypted, not encrypted, etc.Tim CallanAnd at that point, the machine could be own and it could really be anything. So, let’s talk about like brass tacks consequences. And I know that neither of us works for Intel or MSI, and the information we have is very scarce, but, like, do these products need to be recalled? If you're using one of the products, are you fundamentally insecure?Jason SorokoWell, I think what happens, Tim, is it creates this chicken and egg problem of unknowns for the customer, and I think recalls are – as you said, we don’t work for these companies, so, I’m not the one having to build a plan for this. But I think what you would want to do is have customers of these motherboards, install a new secure boot. Basically, new firmware for your motherboard. The problem, of course, is do you know that you haven’t been compromised at the point that you installed the update.Tim CallanExactly. What is you’re already compromised; then, presumably a firmware update doesn’t necessarily fix anything cause if your machine is owned, it can just stay owned.Jason SorokoAnd if you’re owned at that level, at the motherboard boot level, then forget it.Tim CallanThrow it in the ocean?Jason SorokoThe ability to double-check, whether or not your motherboard has been compromised, of course, the motherboard is going to go, I’m good.Tim CallanYes. The motherboard’s going to say, I’m just fine. Everything’s great.Jason SorokoI’m just fine. And in fact, I happen to remember a talk at Black Hat that that’s exactly what the person did when they had taken away the encryption from the hard drive and were reading it and exfiltrating data – anytime that there even was a check at the level of is this encrypted, the firmware on the motherboard was simply saying, I’m good. At the time it was just standard motherboard BIOS before UEFI but it was just a, it was a comical thing on stage to watch the attacker prove that they could make the motherboard response, yes, and happy or, anything.
Tim CallanSure. You bet they could. And so obviously they can generate new private keys.And obviously, they can release new keys, and those new keys will not be compromised subsequent to this attack, but for anything that was already signed with the old key, you going to have this problem.
Jason SorokoYou’re going to have an unknown, and that’s kind of a scary thing. And it’s also as you can imagine not only is there 166 MSI products, and I’m assuming those products are motherboards – that’s a lot.Tim CallanYou’d think. I’d imagine.Jason SorokoBecause they probably build motherboards - -Tim CallanHow many units are there, and how many end product end to consumer product vendors are on that list. It could be many.Jason SorokoIt could be many. And I’ll tell you, if you’re a CIO, CSO and perhaps, you’ve done procurement for PCs within your enterprise and, you're checking serial numbers and, you’ve just rolled out over the last year or two, serial numbers that are related to this leak, man, that would give me some heartburn, I gotta admit.Tim CallanSure, and bomber for Intel, who did nothing wrong, but they still wind up taking in in the teeth on this one. And then the other interesting thing here, of course, is the amount of data that supposedly was exfiltrated - again, I’m just going by this article - is 1.5 terabytes of data, and there’s an implication that nowhere near 1.5 terabytes of data has been leaked, which suggests that there could be other equally compromising things, including other private keys that are still owned by the ransomware group, and they just haven’t been put out, and they might come out later.Jason SorokoYes. Yes. It’s true. And, Tim, I’m just reading a little bit further into this. Leaked private keys affect Intel’s 11th, 12th and 13th generation of processors and were distributed to OEMs including Intel itself, Lenovo, and Supermicro. Those are big guys. Those are big players.Tim CallanThose are big guys. Well, alright. Well, ok. That’s not actually the brand of my laptop, so hopefully, I’m not affected, cause that’s one of the things I was wondering.But it says “and include, including,” so there may be other brands on that list as well, um, and maybe they just didn’t all get mentioned. So, gosh, this just seems like a terrible mess.
Jason SorokoIt’s bad. The reason we bring it up on this podcast is because quite often, people will, – if you are unfamiliar with the importance of private keys and certificates with respect to Code Signing, the implications for secure boot, all the way to the more common use case such as authentication, e-mail encryption, the tools that we talk about and the reasons why we use them - I think we talked a lot more in the days of IoT about things like secure boot. But secure boot now is absolutely part of PCs and my goodness, this key compromise like this is just bad news. And the people I really feel for the most are the people who are trying their best with endpoint security because it just doesn’t matter what you install, because if somebody’s hosed your machine because of this leak, my goodness.Tim CallanThis is going to make so many people have a bad day.Jason SorokoIt really is. So, haven’t seen a list yet or where you could go to get listings of serial numbers or model numbers that you should be concerned about. But, if you’re a CISO or CIO out there, or a risk officer, check it out and, if you're on the list, at least, you have something now to add to your list to worry about.Tim CallanRight, cause you didn’t have enough things to worry about, so here’s another thing. Sorry. Um, anyways, when these high-profile problems with keys occur, we always like to talk about them and what could have been done about it. In this case, I don’t know what could have been done about it, except, not get compromised, but that’s a constant battle that everybody’s always had.Jason SorokoBut on the other hand, I think, it does come down to if you have consumer-grade products and you’ve got code or you’ve got some other places where you have private keys lying around, you gotta do a review about your risks surface there. And, you're obviously gonna have code that might be breached. There are all kinds of things that maybe if you're compromised, it’s just gonna get out there, but it's not the end of the world. I would say for heaven sakes, please folks who are creating these kinds of IoT devices, motherboards, etc., you’ve gotta store away those private keys in a better place. It may not be completely possible to totally, totally secure these things, but I know in the business of authentication certificates and other things we really try to protect those assets behind places that - at least the level of work is not just, it’s not just the simplest breach that would obtain these things - the bad guy really has to work for it hopefully.Tim CallanSo have a considered viewpoint on keys and HSMs and, secure containment of those in a way that is going to minimize the risk of this kind of thing occurring. I think that is good advice.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
