Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)

658 points transpute | 1 comments | 06 May 23 17:39 UTC | HN request time: 0.247s | source

Show context

fatfingerd ◴[06 May 23 22:50 UTC] No.35846058[source]▶

The most alarming part of the article is that we are only really getting a revocation of these keys because they didn't pay a ransom and the ransomers were apparently too stupid to sell them secretly instead of releasing them to the public.

As far as we know, if MSI had paid no one would know that Intel shipped shared private keys to multiple vendors who could then lose them like drunken monkeys.

People ask why these weren't on HSMs.. The article seems to claim that they weren't even able to generate the most important ones in the correct locations, let alone on HSMs with non-extractable settings.

replies(3): >>35846584 #>>35847582 #>>35850848 #

hduebdivd ◴[07 May 23 12:38 UTC] No.35850848[source]▶

>>35846058 #

knowing the ramson is important for the window on how incompetent intel was... but paying a ransom for a secret is extra dumb. glad they didn't and announced.

replies(1): >>35851223 #

1. fatfingerd ◴[07 May 23 13:16 UTC] No.35851223[source]▶

>>35850848 #

AFAIK MSI didn't announce, the hackers leaked the keys themselves as a public service. For all we know MSI was still hoping to reach a lower ransom amount and then never disclose that the keys were most likely sold in the exploit market.

I think we have to assume Intel was willing to put together a broken system with total incompetents. I think the US is better off with foreign chips watched closely than Intel watched poorly.

↑