More than 300 models of MSI motherboards have Secure Boot turned off. Are you affected?

A stylized skull and crossbones made up of ones and zeros.

Secure Boot is an industry standard for ensuring that Windows devices don’t load firmware or malware during the startup process. If you turn it on – as it should in most cases, and it’s the default Microsoft enforces – then it’s good for you. If you are using one of the more than 300 models of motherboards made by the manufacturer MSI within the past 18 months, you may not be protected.

Introduced in 2011, Secure Boot creates a chain of trust between the hardware and the software or firmware that powers the device. Prior to Secure Boot, devices used software known as BIOS, which was installed on a small chip, to instruct them how to boot and to recognize and operate hard drives, CPUs, memory, and other hardware. Once finished, this mechanism loaded the bootloader, which activates tasks and processes to load Windows.

The problem was: the BIOS would load whatever bootloader was in the appropriate directory. This allowed hackers with brief access to a device to install rogue bootloaders, which would, in turn, run malicious firmware or Windows images.

When Secure Boot fails

About a decade ago, BIOS was replaced by UEFI (Unified Extensible Firmware Interface), an operating system itself that could prevent system drivers or bootloaders from not being digitally signed from trusted manufacturers from being loaded.

UEFI relies on databases of both trusted and voided signatures that OEMs load into motherboards’ non-volatile memory at manufacturing time. Signatures lists the signers and cryptographic hashes for each authorized bootloader or application that is controlled by UEFI, an action that establishes the chain of trust. This string ensures that the device is operated securely using only known and trusted code. If unknown code is scheduled to be loaded, Secure Boot stops the startup process.

Recently, a researcher and a student discovered that more than 300 MSI motherboard models in Taiwan, by default, do not implement secure boot and allow any bootloader to boot. The models work with many hardware and firmwares, including many from Intel and AMD (full list is here). This deficiency was introduced sometime in the third quarter of 2021. A researcher accidentally exposed the issue when trying to digitally sign various components of his system.

On 12-11-2022, I decided to set up secure boot on my new desktop with help spectelDawid Potocki, a Polish-born researcher now living in New Zealand, books. “Unfortunately, I discovered that my firmware…accepts every OS image I give it, regardless of whether it is trusted or not. This wasn’t the first time I self-signed Secure Boot, and I didn’t do it wrong.”

Potocki said he found no indication that motherboards from manufacturers ASRock, Asus, Biostar, EVGA, Gigabyte, and NZXT had the same deficiency.

The researcher went on to report that the broken secure boot was the result of MSI inexplicably changing its default settings. Users who want to perform a secure boot – which should be right for everyone – must access the settings on the affected motherboard. To do this, press and hold the Del button on your keyboard while the device is booting. From there, select the menu that says Security\Secure Boot or something to that effect and then select Image Execution Policy submenu. If the motherboard is affected, removable media and fixed media are set to “always execute”.

Getty Images

To fix the problem, change “Always Execute” for these two classes to “Deny Execute”.

in Reddit post Posted on Thursday, an MSI representative confirmed Potocki’s findings. The actor wrote:

We proactively set Secure Boot as enabled and “Always execute” as default to offer an easy-to-use environment that gives end users flexibility to build their own computer systems with thousands (or more) of components that included their choice of embedded ROM, including operating system images, Which leads to higher compatibility configurations. For users who are very concerned about security, they can still manually set the “image execution policy” as “deny execution” or other options to meet their security needs.

The post mentioned that MSI will release new firmware versions that will change the default settings to “deny to execute”. The subreddit linked above contains discussion that may help users troubleshoot any problems.

As mentioned earlier, Secure Boot is designed to prevent attacks in which an untrusted person surreptitiously gains brief access to a device and tamperes with its firmware and software. Such hacks are commonly known as “Evil Maid attacks”, but a better description is “Stalker Ex-Boyfriend attacks”.

Source link

Related Posts