Article 6BN93 Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack

Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack

by
Dan Goodin
from Ars Technica - All content on (#6BN93)
grub2-boot-worm-update-800x450.jpg

Enlarge (credit: Aurich Lawson)

A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said.

It's kind of like a doomsday scenario where it's very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication," Alex Matrosov, CEO, head of research, and founder of security firm Binarly, said in an interview. It's very hard to solve, and I don't think MSI has any backup solution to actually block the leaked keys."

Leaked key + no revocation = recipe for disaster

The intrusion came to light in April when, as first reported by Bleeping Computer, the extortion portal of the Money Message ransomware group listed MSI as a new victim and published screenshots purporting to show folders containing private encryption keys, source code, and other data. A day later, MSI issued a terse advisory saying that it had suffered a cyberattack on part of its information systems." The advisory urged customers to get updates from the MSI website only. It made no mention of leaked keys.

Read 17 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments