The fault lies with the negligence of one company and the careless attitude towards safety on the part of many suppliers.
Secure Boot technology, designed to ensure PC security at the software level, turned out to be vulnerable facing the threat of bypassing the Secure Boot mechanism. Binarly REsearch experts have discovered that the private Platform Key (PK) of American Megatrends International (AMI), used as the “master key” for Secure Boot, has become publicly available.
The leak occurred at an ODM that develops firmware for a number of vendors, including US-based enterprise hardware manufacturers. Devices using the compromised key are still in use.
Moreover, it is used in recently released devices. The problem, called PKfail, reveals a number of systemic flaws in the security of the device supply chain: Careless handling of cryptographic materials. Private keys are found directly in code repositories, and the paths to them are written into build scripts.
Use of test keys in production devices. There are cases where keys not intended for use in finished products end up in device firmware. No key rotation. In some cases, the same keys are used for different product lines (e.g., client and server devices) and by different hardware manufacturers.
It’s worth noting that this isn’t the first time Secure Boot-related keys have been leaked. In 2023, a similar issue was discovered with Intel Boot Guard keys.
It became known that more than 800 models of motherboards from Acer, Dell, Fujitsu, Gigabyte, HP, Intel, Lenovo and Supermicro were vulnerable to bypassing the Secure Boot mechanism. Despite the fact that the description of the key contained a warning about its unsuitability for use in finished products, many manufacturers ignored it. As a result, the firmware contained a standard key, the same for all AMI partners and clients.
According to Binarly researchers, more than 10% of the firmware scanned is affected by the issue. The oldest of them date back to 2012, and the newest ones to June 2024. To check devices for the PKfail vulnerability, Binarly has developed a free scanner available on the PK.fail website. The tool is based on Binary Intelligence technology and has an extremely low false positive rate.
Binarly has already notified its customers and partners of the threat and is helping them identify and protect vulnerable devices. In addition, Binarly experts are actively collaborating with the CERT/CC team to address the PKfail vulnerability across the industry.