In the event you’re a gamer or an avid squeezer of uncooked computing energy, you’ve in all probability spent hours tweaking your motherboard settings to eke out each final drop of efficiency.
Through the years, you may even have tried out numerous unofficial firmware bodges and hacks to allow you to change settings that may in any other case be inaccessible, or to decide on configuration mixtures that aren’t normally allowed.
Simply to be clear: we strongly advise towards putting in unknown, untrusted firmware BLOBs.
(BLOB is a jocular jargon time period for firmware recordsdata that’s brief for binary massive objectthat means that it’s an all-in-one stew of code, tables of information, embedded recordsdata and pictures, and certainly something wanted by the firmware when it begins up.)
Loosely talking, the firmware is a form of low-level working system in its personal proper that’s liable for getting your pc to the purpose at which it could possibly boot into an everyday working system resembling Home windows, or one of many BSDs, or a Linux distro.
Because of this booby-trapped firmware code, if you happen to may be tricked into putting in it, could possibly be used to undermine the very safety on which your subsequent working system safety depends.
Rogue firmware may, in principle, be used to spy on virtually the whole lot you do in your pc, appearing as a super-low-level rootkitthe jargon time period for malware that exists primarily to guard and conceal different malware.
Rootkits typically intention to make higher-level malware tough not solely to take away, however even to detect within the first place.
The phrase rootkit comes from the previous days of Unix hacking, earlier than PCs themselves existed, not to mention PC viruses and different malware. It referred to what was basically a rogueware toolkit that customers with unauthorised sysadmin privileges, often known as root entrymay set up to evade detection. Rootkit parts typically contains modified ls, ps and rm system instructions, for instance (record recordsdata, record processes and take away recordsdata respectively), that intentionally suppressed point out of the intruder’s rogue software program, and refused to delete it even when requested to take action. The identify derives from the idea of “a software program package to assist hackers and crackers preserve root entry even after they’re being hunted down by the system’s actual sysadmins”.
Digital signatures thought-about useful
Today, rogue firmware downloads are typically simpler to identify than they had been prior to now, provided that they’re normally digitally signed by the official vendor.
These digital signatures can both be verified by the prevailing firmware to forestall rogue updates being put in in any respect (relying in your motherboard and its present configuration), or verified on one other pc to verify that they’ve the imprimatur of the seller.
Be aware that digital signatures provide you with a a lot stronger proof of legitimacy than obtain checksums resembling SHA-256 file hashes which can be revealed on an organization’s obtain web site.
A obtain checksum merely confirms that the uncooked content material of the file you downloaded matches the copy of the file on the positioning, thus offering a fast manner of verifying that there have been no community errors in the course of the obtain.
If crooks hack the server to change the file you will obtain, they’ll merely alter its listed checksum on the similar time, and the 2 will match, as a result of there isn’t any cryptographic secret concerned in calculating the checksum from the file.
Digital signatures, nevertheless, are tied to a so-called non-public key that the seller can retailer individually from the web site, and the digital signature is usually calculated and added to the file someplace within the vendor’s personal, supposedly safe, software program construct system.
That manner, the signed file retains its signed digital label wherever it goes.
So, even when crooks handle to create a booby-trapped obtain file, they’ll’t create a digital signature that reliably identifies them as the seller you’d count on to see because the creator the file.
Except, in fact, the crooks handle to steal the seller’s non-public keys used for creating these digital signatures…
…which is a bit like getting maintain of a medieval monarch’s signet ring, so you possibly can imprint their private mark into the wax seals on completely fraudulent paperwork.
MSI’s dilemma
Properly, followers of MSI motherboards must be doubly cautious of putting in off-market firmware proper now, apparently even when it apparently comes with a legitimate-looking MSI digital “seal of approval”.
The motherboard megacorp issued an official breach notification on the finish of final week, admitting:
MSI not too long ago suffered a cyberattack on a part of its info programs. […] Presently, the affected programs have regularly resumed regular operations, with no vital influence on monetary enterprise.
Phrase on the road is that MSI was hit by a ransomware gang going by the in-your-face identify of Cash Message, who’re apparently making an attempt to blackmail MSI by threatening, amongst different nastinesses, to show stolen knowledge resembling:
MSI supply code together with framework to develop BIOS [sic]additionally we’ve non-public keys.
The implication appears to be that the criminals now have the wherewithal to construct a firmware BLOB not solely in the suitable format but in addition with the suitable digital signature embedded in it.
MSI has neither confirmed nor denied what was stolen, however is warning prospects “to acquire firmware/BIOS updates solely from [MSI’s] official web site, and to not use recordsdata from sources apart from the official web site.”
What to do?
If the criminals are telling the reality, they usually actually do have the non-public keys they should signal firmware BLOBs…
…then going off-market is now doubly harmful, as a result of checking the digital signature of the downloaded file is now not sufficient to verify its origin.
Rigorously sticking to MSI’s official web site is safer, as a result of the crooks would want not solely the signing keys for the firmware file, but in addition a login to the official web site to exchange the real obtain with their booby-trapped pretend.
We’re hoping that MSI is taking additional care over who has entry to its official obtain portal proper now, and watching it extra rigorously than standard for sudden adjustments…
