back to article Leaked stolen Nvidia key can sign Windows malware

The private key of an Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant's internal systems. At least two binaries not developed by Nvidia, but signed this week with its stolen key, making them appear to be Nvidia programs, have appeared in malware …

  1. Anonymous Coward
    Anonymous Coward

    So what happens now?

    So what happens if say an iMac 2009 (as an example) with Nvidia 9400GM Graphics/(Bootcamp) using either Nvidia 340.108 (Linux) or Nvidia 342.01 Windows drivers which are no longer supported but still work fine, are these machines going to the price paid by consumers for this fcuk up by Nvidia? More landfill crud, where end users are the innocent party in this.

    All seems very convenient, to sell a shitload of tech, off the back of this, for both MS and Nvidia.

    To MS/Nvidia, you better sort this out for all legacy drivers, not just current ones, anything else is unacceptable. Nvidia make 340.108 compatible with Linux 5.15 kernel while you're at it.

    And just to make the point regarding Windows 11, a TPM module and secure boot, doesn't save anyone from this type of malware where there is a compromised certificate. Plenty have made that point very vocal in the last few months.

    Windows, the utter trash - just keeps on giving.

    1. John Brown (no body) Silver badge

      Re: So what happens now?

      I guess it depends on how likely the binary blob is to get new updates and where you download them from.

    2. iron

      Re: So what happens now?

      More frog pills required nurse! He's ranting complete bollocks again.

      1. Anonymous Coward
        Anonymous Coward

        Re: TPM Module is Microsoft's answer, equivalent to Boeing's sticking plaster MCAS system.

        <Iron> Look, if you want to shoot the messenger, fine.

        Linux's reputation is getting trashed because of Nvidia's proprietary drivers. Upgrading Linux Mint 20.3 using kernel 5.8 to 5.13, ends up with a flashing cursor on reboot, without using third-party patched drivers.

        And yes, angry – because it's relentless, and it's always the end user that gets pushed around, forced to do things Microsoft's way. The Windows team seems to be concentrating on the superficial fringes, aka. Notepad tinkering, rather than attacking the entangled patched, patch on patch, tangled spaghetti blob of Windows code.

        Stipulating a TPM Module is Microsoft's answer equivalent to Boeing's sticking plaster MCAS system.

        How about explaining how a TPM Module and Secure Boot supposedly helps if malware is embedded in a signed low level Nvidia driver code, if you know a way it does. A graphics driver generally is something that has is 'access all areas' to the core OS.

        In theory, it could help encrypt different sections of the core operating system code (but with the overhead of doing that), from prying eyes, but is that really possible within legacy Windows code? Bearing in mind, this is a potentially malware infected 'signed' all access low level graphics driver, with root privileges?

        It seems a moot point, given the overhead and given the security attack vectors the TPM chips have themselves been shown to have themselves.

        If I'm wrong, point out how this is wrong, I've never stopped learning, and listening, but let's have some transparency here. How does it help in this situation? I just can't see how it does.

        1. doublelayer Silver badge

          Re: TPM Module is Microsoft's answer, equivalent to Boeing's sticking plaster MCAS system.

          I love how Nvidia failing to update drivers for Linux kernel compatibility is now Microsoft's fault. The Linux-related comments are on Nvidia and I'm not here to defend them. While I'm not here to defend Microsoft either, I must also point out that the comments about the TPM are missing the point about what that is there to do. I think that requiring one for Windows 11 is useless and generates unnecessary obsolescence, but nobody claimed that having it would in some way prevent malware. You appear to be complaining that the chip doesn't do something that it was never designed to do, and if it did do you still wouldn't support. This leads me to think that, instead of raising actual problems, you are just angry and would like to blame Microsoft for anything that doesn't work as expected.

    3. ThatOne Silver badge
      Unhappy

      Re: So what happens now?

      I'm with the OP.

      I too guess owners of older Nvidia cards on Windows will now have to buy new video cards, for Nvidia obviously won't issue updated drivers for EOL kit.

      Obviously if you're of the "shiny-shiny" people who change car, computer, phone and spouse every year for the latest and greatest you won't be affected. Problem is, other people who don't appreciate blind consumerism will, and the fact you consider them to be stupid doesn't change anything.

      Also, this shows once again what a chocolate teapot program signing is. It's only good to control independent developers, as a security tool it is hopeless, it's not like certificates aren't leaked/stolen/forged all the time.

      1. cyberdemon Silver badge
        Holmes

        It's only good to control independent developers

        Yes, I believe that's its intended purpose

        It seems to me, the only point of TPM is to force smaller developers out of the market and to let Microsoft, Google, Amazon et al take over everything. And it will be used for unbreakable DRM for the likes of Disney, netflix, etc.

        It was never about security - that was always just an excuse.

    4. bombastic bob Silver badge
      Mushroom

      Re: So what happens now?

      driver certs: a Charlie Foxtrot "Circular Fire Drill" by any other name

      the whole "driver signing" system needs to be DUMPED. no more automaticaly trusting kernel drivers just because they're "signed". I bet this whole "driver signing" nonsensical CRAP has CREATED more problems than it EVAR solved (especially for small time independent developers and OPEN SOURCE in general, having to "pay the toll" to ship or even COMPILE a driver binary from source - noting that for video drivers, you do not have many options available to you OTHER than driver signing)

      (And, THiS is just one example of why - think 'stolen keys to a back door' and you're opn the right track)

      (thankfully this driver signing fiasco is NOT on my FreeBSD or Linux desktops)

    5. ecofeco Silver badge

      Re: So what happens now?

      I see the MS fanbois showed up to downvote you.

      So have my upvote!

  2. karlkarl Silver badge

    Can we use the leaked cert to sign open-source firmware as part of the Nouveau Linux driver?

    If so, then this is definitely a good thing and certainly outweighs a few twits that are going to get a virus.

    1. Artem S Tashkinov

      These are 100% unrelated.

      Firmware files are signed using internal NVIDIA's keys specific to the company and its hardware.

      Lastly, it's _not_ about signatures - you can trivially extract the said firmware files from publicly released NVIDIA drivers.

      NVIDIA does _not_ license these firmware files for use with nouveau - that's the issue.

      1. karlkarl Silver badge

        "NVIDIA does _not_ license these firmware files for use with nouveau - that's the issue."

        We are quite happy to ignore what NVIDIA licenses and doesn't license, it matters very little to us. However what is an issue is NVIDIA have made it impossible to access key hardware functionality because of a requirement on signed firmware.

        (Apologies for the reddit post but it contained both links):

        https://www.reddit.com/r/linux_gaming/comments/cnpuss/nouveau_developer_explaining_how_exactly_nvidia/

        So are these things really completely unrelated?

        1. Anonymous Coward
          Anonymous Coward

          Who is "we"? Are you part of the driver development team? Because the last I heard they were being paid by Red Hat, who definitely do care about having valid licenses for the code they send their customers.

          1. Anonymous Coward
            Anonymous Coward

            Drivers for Linux are traditionally reverse engineered and Nouveau are no exception. So you think they had a license for that?

            Red Hat are a prominent developer in the Linux ecosystem but you are absolutely doing all the thousands of independent an insulting disservice by saying things like "driver development teams are all paid by Red Hat".

            1. Anonymous Coward
              Anonymous Coward

              Reverse engineering requires no license, and Red Hat does it.

              Cutting signed binary firmware out of Nvidia drivers and shipping that does. I think even the most novice software developer should have that level of copyright knowledge.

              Yes - look up the list of who employs the Nouveau developers: it's Red Hat. I assume you are not a Nouveau contributor? BTW I have submitted one bug fix patch to it, and I don't pretend to describe myself as a Nouveau developer.

        2. iron

          > We are quite happy to ignore what NVIDIA licenses and doesn't license, it matters very little to us.

          Are you quite happy to be sued into oblivion as well?

          How does a MICROSOFT code signing certificate used for WINDOWS DRIVERS help you in any way whatsoever with FIRMWARE?

          Hint: It doesn't.

          Who moved the stone that was covering the blithering idiots?

          1. karlkarl Silver badge

            "Are you quite happy to be sued into oblivion as well?"

            Using a leaked private signing key for hardware I own? Hah, yeah I will take the chances.

            Frankly the reverse engineering work used for most drivers is much more risky than using a that.

            Perhaps you should get out from under that rock and live a little too. Don't fear the big scary commercial companies. Yes, they are bigger and better than us but don't have such a defeatist attitude.

            1. Anonymous Coward
              Anonymous Coward

              Ok - how about this... You can use the certificate to sign drivers (but you don't have to - you can just get your own certificate to sign drivers if you need to). You can't sign Nvidia firmware because firmware is not the same thing as a driver and isn't signed by the leaked Verisign private keys.

              Reverse Engineering is a well documented and litigated topic back to the first IBM clone. It isn 't the same thing as pretending to be Nvidia using stolen private keys. It isn 't the same thing as copying BLOBs out of Nvidia copyright software.

  3. Artem S Tashkinov

    In case people want to check what this leak is all about, follow this link:

    https://www.opennet.ru/openforum/vsluhforumID3/126912.html#104

    It's a treasure trove of internal information, including the source code for Windows and Linux drivers, DLSS, certificates, etc. etc. etc.

  4. emfiliane

    You man manually import it into your system's untrusted list, or as a sysadmin push out a policy that does so, but it's a pain in the ass and Microsoft needs to release a security update right now that revokes this certificate.

    1. Anonymous Coward
      Anonymous Coward

      "...Microsoft needs to release a security update right now"

      Can they? What if you're legitimately using this key? Or, is this key even in use and if so, for what?

      1. ThatOne Silver badge
        Unhappy

        > What if you're legitimately using this key?

        I imagine your old Nvidia driver will henceforth be flagged as "unfit for duty" by Windows and if that video card is not brand new, you will have to immediately buy a new one, since EOLed products don't get updates. Profit! (For Nvidia obviously, not for you. It's users who always pick up the pieces and foot the bill when things like that happen...)

        1. Anonymous Coward
          Anonymous Coward

          Things need to change at Microsoft.

          Exactly, those using EOL products are the innocent victims here.

          End users using legacy hardware shouldn't be the victims in all this as a result of Nvidia's failed security, and from what we can tell so far, exploiting weaknesses in Windows code to gain access.

          My gripe with Microsoft, is the current concentration of efforts on superfluous BS, like Notepad's look and feel. Windows Update is still clunky, often doesn't work, essentially, a bag of rusty old nails, but Notepad's look and feel is clearly more important to the head of the Windows development team.

          The fact that a minor 'dark mode' update to Notepad had to go through the insider programme before release, just shows how bad their own internal testing regimes are now, to the point of being non-existent.

          Microsoft has the wrong people in charge of Marketing (how they've kept their job this long, god only knows) and of Windows. They also need to employ an exceptional person for the role of heading up Windows Update, that has a brain with OCD (Obsessive compulsive disorder), for detail. That's what it is going to take to detangle the mess that is 'patch on patch' Windows now.

          Things need to change.

          1. ThatOne Silver badge
            Devil

            Re: Things need to change at Microsoft.

            > Marketing (how they've kept their job this long, god only knows)

            Apparently by having everybody else fired. (Except of course the cleaning staff, and the intern who does the coding, when he's not putting fresh toner into the printers or making coffee.)

            1. Claverhouse

              Re: Things need to change at Microsoft.

              Or, judging by Microsoft, putting fresh toner in the coffee...

  5. Mr Spuratic

    obPedantry

    Stolen cert? I think you mean stolen key.

    There's nothing secret about an X.509 certificate.

    1. Anonymous Coward
      Anonymous Coward

      Re: obPedantry

      It's a fair point, even if your post offers nothing else. Keeps everyone here on their toes regarding what they post.

  6. Anonymous Coward
    Anonymous Coward

    Other video card manufacturers are available. Use them!

    In general my experience of AMD and even Intel living on Linux has been a favourable one. Unlike the deliberately nerfed user experience caused by Nvidia's approach to releasing software.

    1. CommonBloke

      Only an option if:

      1- you're buying a new computer

      2- if you want a notebook, finding one with AMD can be hard

      3- you have a desktop, you can't change graphic cards on notebooks

      4- you can find a card at a decent price.

      What we need is more competition. Intel can probably get in on the game, though only using their better graphics chips as integrated on their most expensive processors doesn't help consumers at all.

      1. Anonymous Coward
        Anonymous Coward

        Agree, though on #2 there are reasonable options available now. And for a work laptop AMD/Intel integrated stuff is fine. Alchemist - whenever it finally launches en mass will hopefully help with the desktop market somewhat too.

        On #4; which we are far from reasonable just yet, there are signs of some improvement. No doubt to be scuppered by the third in trilogy of sucky years.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like