April 13, 2024

If you happen to’re a gamer or an avid squeezer of uncooked computing energy, you’ve most likely spent hours tweaking your motherboard settings to eke out each final drop of efficiency.

Over time, you would possibly even have tried out varied unofficial firmware bodges and hacks to allow you to change settings that will in any other case be inaccessible, or to decide on configuration combos that aren’t often allowed.

Simply to be clear: we strongly advise towards putting in unknown, untrusted firmware BLOBs.

(BLOB is a jocular jargon time period for firmware information that’s quick for binary giant object, which means that it’s an all-in-one stew of code, tables of knowledge, embedded information and pictures, and certainly something wanted by the firmware when it begins up.)

Loosely talking, the firmware is a form of low-level working system in its personal proper that’s chargeable for getting your laptop to the purpose at which it could boot into a daily working system akin to Home windows, or one of many BSDs, or a Linux distro.

Which means booby-trapped firmware code, in case you might be tricked into putting in it, may very well be used to undermine the very safety on which your subsequent working system safety depends.

Rogue firmware might, in idea, be used to spy on nearly every part you do in your laptop, performing as a super-low-level rootkit, the jargon time period for malware that exists primarily to guard and conceal different malware.

Rootkits usually purpose to make higher-level malware tough not solely to take away, however even to detect within the first place.

The phrase rootkit comes from the outdated days of Unix hacking, earlier than PCs themselves existed, not to mention PC viruses and different malware. It referred to what was primarily a rogueware toolkit {that a} consumer with unauthorised sysadmin privileges, also called root entry, might set up to evade detection. Rootkit parts would possibly embrace modified ls, ps and rm instruments, for instance (checklist information, checklist processes and take away information respectively), that intentionally suppressed point out of the intruder’s rogue software program, and refused to delete it even when requested to take action. The title derives from the idea of “a software program package to assist hackers and crackers preserve root entry even after they’re being hunted down by the system’s actual sysadmins”.

Digital signatures thought of useful

Today, rogue firmware downloads are usually simpler to identify than they had been up to now, provided that they’re often digitally signed by the official vendor.

These digital signatures can both be verified by the prevailing firmware to stop rogue updates being put in in any respect (relying in your motherboard and its present configuration), or verified on one other laptop to verify that they’ve the imprimatur of the seller.

Notice that digital signatures provide you with a a lot stronger proof of legitimacy than obtain checksums akin to SHA-256 file hashes which are revealed on an organization’s obtain website.

A obtain checksum merely confirms that the uncooked content material of the file you downloaded matches the copy on the location the place the checksum was saved, thus offering a fast means of verifying that there have been no community errors in the course of the obtain.

If crooks hack the server to change the file you will obtain, they’ll merely alter its listed checksum on the identical time, and the 2 will match, as a result of there isn’t any cryptographic secret concerned in calculating the checkum from the file.

Digital signatures, nonetheless, are tied to a so-called personal key that the seller can retailer individually from the web site, and the digital signature is often calculated and added to the file someplace within the vendor’s personal, supposedly safe, software program construct system.

That means, the signed file retains its signed digital label wherever it goes.

So, even when crooks handle to create a booby-trapped obtain server with a Trojanised obtain on it, they’ll’t create a digital signature that reliably identifies them as the seller you’d anticipate to see because the creator and signer of the file.

Except, after all, the crooks handle to steal the seller’s personal keys used for creating these digital signatures…

…which is a bit like getting maintain of a medieval monarch’s signet ring, so you’ll be able to press their official signal into the wax seals on completely fraudulent paperwork.

MSI’s dilemma

Nicely, followers of MSI motherboards must be doubly cautious of putting in off-market firmware proper now, apparently even when it apparently comes with a legitimate-looking MSI digital “seal of approval”.

The motherboard megacorp issued an official breach notification on the finish of final week, admitting:

MSI just lately suffered a cyberattack on a part of its data techniques. […] At the moment, the affected techniques have progressively resumed regular operations, with no vital impression on monetary enterprise.

Phrase on the road is that MSI was hit by a ransomware gang going by the in-your-face title of Cash Message, who’re apparently trying to blackmail MSI by threatening, amongst different nastinesses, to show stolen information akin to:

MSI supply code together with framework to develop BIOS [sic], additionally we’ve personal keys.

Declare made by Cash Message blackmail gang on its darkweb “information” server.

The implication appears to be that the criminals now have the wherewithal to construct a firmware BLOB not solely in the proper format but additionally with the proper digital signature embedded in it.

MSI has neither confirmed nor denied what was stolen, however is warning clients “to acquire firmware/BIOS updates solely from [MSI’s] official web site, and to not use information from sources aside from the official web site.”

What to do?

If the criminals are telling the reality, and so they actually do have the personal keys they should signal firmware BLOBs (MSI definitely has a lot of totally different personal keys for all types of various signing functions, so even when the crooks have some personal keys they won’t have the proper ones for approving firmware builds)…

…then going off-market is now doubly harmful, as a result of checking the digital signature of the downloaded file is not sufficient to verify its origin.

Rigorously sticking to MSI’s official website is safer, as a result of the crooks would wish not solely the signing keys for the firmware file, but additionally entry to the official website to switch the real obtain with their booby-trapped faux.

We’re hoping that MSI is taking further care over who has entry to its official obtain portal proper now, and watching it extra rigorously than regular for sudden modifications…