Researchers have discovered a new way to exploit side channels in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on. The attacks enable the recovery of secret encryption keys stored in smart cards and smartphones, which underpin the security and confidentiality of a cryptographic algorithm. The video-based attacks reduce or completely eliminate the need for specialized and often expensive instruments attached or near the targeted device.
The leak of MSI's private encryption keys, including the signing key used to digitally sign firmware updates, has raised concerns of devastating supply chain attacks that could inject malicious updates that are trusted by a huge base of end-user devices. Security researchers warn that MSI doesn't have an automated patching process and doesn't provide the same kind of key revocation capabilities as larger hardware makers, making it difficult to block the leaked keys.
The leak of MSI's private encryption keys, including the signing key used to verify the authenticity of firmware updates, has raised concerns of devastating supply chain attacks. Unlike larger hardware makers, MSI doesn't have an automated patching process or key revocation capabilities, making it difficult to revoke compromised keys. The leak also included a private encryption key used in a version of Intel Boot Guard that MSI distributes to its customers, which could allow attackers to bypass security measures and gain far-reaching access to systems. MSI has yet to issue guidance to its customers.
