MSI Cyber Attack- Source Code Stolen

[AL123]

Unsure whether to post this here or in Tech News section for best visibility 

 

https://www.theregister.com/AMP/2023/04/07/msi_cyberattack_bios/

 

says to beware of third party firmware sources etc due to theft of source code/ tools 

 

I don’t use MSI kit but spotted the article on the register which I read daily

[Sandy Bridge]

So yeah, this is not great.

 

I'm still not entirely sure of the practical impact, assuming that MSI's web site credentials were in fact not stolen.  As one commentator elsewhere said, you'd have to be a lunatic to be downloading firmware updates from random third-party sites.  (Although I could also see a use case if you have an HP laptop and are trying to get around their WiFi card whitelisting practices)  If the hackers had the ability to publish updates that not only were signed by MSI but were available for distribution through official channels, the problem would be much worse.

 

According to a security firm cited by PC Magazine, the list of affected models is at https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/MsiImpactedDevices.md .  Neither of my MSI laptops is listed as affected, so I'll keep them for now.  But even if they were, I'm not sure I'd be super-concerned?  It certainly raises general questions about security practices (how'd this get stolen in the first place?  Back door wide open?  Spear phishing?), but there's a good chance I'm not ever going to upgrade my firmware, and if I do it will be from the official site.