Leak of Intel Boot Guard Keys Could Have Security Repercussions for Years

While Intel is still investigating the incident, the security industry is bracing itself for years of potential firmware insecurity if the keys indeed were exposed.

The potential leak from MSI Gaming of signing keys for an important security feature in Intel-based firmware could cast a shadow on firmware security for years to come and leave devices that use the keys
highly vulnerable
to cyberattacks, security experts say.
Intel is still actively investigating an alleged leak of Intel Boot Guard private keys for 116 MSI products, the company told Dark Reading. The investigation comes after a claim by Alex Matrosov, CEO of firmware supply chain security platform Binarly, that leaked source code from a
March 2023 cyberattack on MSI
includes this data, as well as image-signing private keys for 57 MSI products.
Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel BootGuard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake processors,
he tweeted
.
The alleged leak comes about a month after an emerging ransomware gang tracked as Money Message
hit Taiwan-based MSI
with a double extortion ransomware attack, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases.
When the $4 million ransom the group demanded was not paid, the attackers began posting data stolen in the attack on their leak site. Last week, MSIs stolen data—including source code for firmware used by the companys motherboards—turned up on that site.
Intel Boot Guard is a
hardware-based security technology
aimed to protect computers against executing tampered-with, non-genuine Unified Extensible Firmware Interface (UEFI) firmware, which could happen in case a possible attacker has bypassed protection against modification of BIOS, Binarly efiXplorer Team explained in
a blog post
published last November.
That post came in response to an
October leak of UEFI BIOS of Alder Lake
, Intels code name for its latest processor, as well as the key pairs required by Boot Guard during provisioning stage.
If threat actors get hold of the MSI-related Intel Boot Guard signing keys, they potentially could load
vulnerable firmware
onto affected devices—which include MSI motherboards—that appear to be signed by the vendor and thus legitimate.
Moreover, the BIOS runs even before a devices OS, which means the vulnerable code is present at the most basic device level and thus difficult to patch or defend against, complicating the scenario even further, notes one security expert.
Due to the nature of how these keys are embedded and used, the usual advice of installing security patches may not be possible, Darren Guccione, CEO and co-founder of cybersecurity software firm
Keeper Security
, said in an email to Dark Reading.
To remedy the issue, security teams potentially would have to implement non-standard controls to monitor for breaches if malware starts using these keys, he notes. Without a simple security solution, this could be a damaging attack vector in the long term, Guccione says.
Future Firmware Woes
Indeed, the long term is what worries security experts about the leak. They say its likely threat actors would pounce on the availability of the Intel Boot Guard signing keys, presenting a major firmware security problem for years to come.
Stealing signing keys, especially for something that can only be updated in firmware (which means few people will do it), usually entails a long tail of incidents years after the disclosure, warned John Bambenek, principal threat hunter at
Netenrich
, a security and operations analytics SaaS firm
.
His comment brings up a good point: the inherent vulnerability of outdated device firmware, which often gets overlooked in patching cycles and thus, if vulnerable, represents a large and dangerous attack surface, notes Matt Mullins, senior security researcher at Cybrary.
Considering that most people do not apply patches to UEFI or firmware in general, the individuals impacted will probably not know to patch these devices appropriately, he says. The access provided to malicious actors in regard to this is in some ways worse than getting a SYSTEM or root shell.
This is because with access to the signing keys, system protections like driver signatures or detections of malicious activity at kernel level or below will in essence be null and void because the malicious bootkit can load prior/below that, Mullins says.
By loading below that, it can hijack or bypass important process associated with device integrity (such as I/O operations) and effectively render itself permanent without the appropriate flash and reload of firmware, he says.
While the situation may seem dire, one security expert tried to quell fears that have surfaced over news of the leak by noting that the overall threat to affected MSI devices is relatively low because of the steps a threat actor would need to go through to exploit the keys.
As a contrast, consider IoT/OT devices which often lack digital signatures for firmware and exist at a massively higher scale than MSI devices, says Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene.
That said, there are ways to mitigate or defend against any risks from the incident, experts say.
A good start is to ensure you have a trusted process for all digital assets including IoT/OT, Broomhead says. Meanwhile, using other forms of protection, such as monitoring and network access control, should help to prevent exploitation of the leaked keys from cause a much larger exploitation, he adds.
The latest leak also should serve as a reminder to organizations that firmware and other private keys should be kept separate from code as much as possible to mitigate the risk of theft, Bambenek notes.
Other mitigations that organizations can take to defend against firmware attacks include the obvious application of patches, while often overlooked, is primarily the best defense against this potential future attack, Mullins says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Leak of Intel Boot Guard Keys Could Have Security Repercussions for Years