Attention gamers! Motherboard maker MSI admits to breach, issues “rogue firmware” alert

Credit to Author: Paul Ducklin| Date: Tue, 11 Apr 2023 16:58:48 +0000

If you’re a gamer or an avid squeezer of raw computing power, you’ve probably spent hours tweaking your motherboard settings to eke out every last drop of performance.

Over the years, you might even have tried out various unofficial firmware bodges and hacks to let you change settings that would otherwise be inaccessible, or to choose configuration combinations that aren’t usually allowed.

Just to be clear: we strongly advise against installing unknown, untrusted firmware BLOBs.

(BLOB is a jocular jargon term for firmware files that’s short for binary large object, meaning that it’s an all-in-one stew of code, tables of data, embedded files and images, and indeed anything needed by the firmware when it starts up.)

Loosely speaking, the firmware is a kind of low-level operating system in its own right that is responsible for getting your computer to the point at which it can boot into a regular operating system such as Windows, or one of the BSDs, or a Linux distro.

This means that booby-trapped firmware code, if you can be tricked into installing it, could be used to undermine the very security on which your subsequent operating system security relies.

Rogue firmware could, in theory, be used to spy on almost everything you do on your computer, acting as a super-low-level rootkit, the jargon term for malware that exists primarily to protect and hide other malware.

Rootkits generally aim to make higher-level malware difficult not only to remove, but even to detect in the first place.

The word rootkit comes from the old days of Unix hacking, before PCs themselves existed, let alone PC viruses and other malware. It referred to what was essentially a rogueware toolkit that a user with unauthorised sysadmin privileges, also known as root access, could install to evade detection. Rootkit components might include modified ls, ps and rm tools, for example (list files, list processes and remove files respectively), that deliberately suppressed mention of the intruder’s rogue software, and refused to delete it even if asked to do so. The name derives from the concept of “a software kit to help hackers and crackers maintain root access even after they’re being hunted down by the system’s real sysadmins”.

Digital signatures considered helpful

These days, rogue firmware downloads are generally easier to spot than they were in the past, given that they are usually digitally signed by the official vendor.

These digital signatures can either be verified by the existing firmware to prevent rogue updates being installed at all (depending on your motherboard and its current configuration), or verified on another computer to check that they have the imprimatur of the vendor.

Note that digital signatures give you a much stronger proof of legitimacy than download checksums such as SHA-256 file hashes that are published on a company’s download site.

A download checksum simply confirms that the raw content of the file you downloaded matches the copy on the site where the checksum was stored, thus providing a quick way of verifying that there were no network errors during the download.

If crooks hack the server to alter the file you are going to download, they can simply alter its listed checksum at the same time, and the two will match, because there is no cryptographic secret involved in calculating the checkum from the file.

Digital signatures, however, are tied to a so-called private key that the vendor can store separately from the website, and the digital signature is typically calculated and added to the file somewhere in the vendor’s own, supposedly secure, software build system.

That way, the signed file retains its signed digital label wherever it goes.

So, even if crooks manage to create a booby-trapped download server with a Trojanised download on it, they can’t create a digital signature that reliably identifies them as the vendor you’d expect to see as the creator and signer of the file.

Unless, of course, the crooks manage to steal the vendor’s private keys used for creating those digital signatures…

…which is a bit like getting hold of a medieval monarch’s signet ring, so you can press their official sign into the wax seals on totally fraudulent documents.

MSI’s dilemma

Well, fans of MSI motherboards should be doubly cautious of installing off-market firmware right now, apparently even if it apparently comes with a legitimate-looking MSI digital “seal of approval”.

The motherboard megacorp issued an official breach notification at the end of last week, admitting:

MSI recently suffered a cyberattack on part of its information systems. […] Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business.

Word on the street is that MSI was hit by a ransomware gang going by the in-your-face name of Money Message, who are apparently attempting to blackmail MSI by threatening, amongst other nastinesses, to expose stolen data such as:

MSI source code including framework to develop BIOS [sic], also we have private keys.

The implication seems to be that the criminals now have the wherewithal to build a firmware BLOB not only in the right format but also with the right digital signature embedded in it.

MSI has neither confirmed nor denied what was stolen, but is warning customers “to obtain firmware/BIOS updates only from [MSI’s] official website, and not to use files from sources other than the official website.”

What to do?

If the criminals are telling the truth, and they really do have the private keys they need to sign firmware BLOBs (MSI certainly has lots of different private keys for all sorts of different signing purposes, so even if the crooks have some private keys they might not have the right ones for approving firmware builds)…

…then going off-market is now doubly dangerous, because checking the digital signature of the downloaded file is no longer enough to confirm its origin.

Carefully sticking to MSI’s official site is safer, because the crooks would need not only the signing keys for the firmware file, but also access to the official site to replace the genuine download with their booby-trapped fake.

We’re hoping that MSI is taking extra care over who has access to its official download portal right now, and watching it more carefully than usual for unexpected changes…


http://feeds.feedburner.com/NakedSecurity

Leave a Reply