Cybersecurity experts at Binarly discoveredthat the Secure Boot protocol used in UEFI firmware has been compromised on more than 200 models of PCs and servers from the world’s largest manufacturers. The cause of the problem is said to be the irresponsible attitude of manufacturers to the management of cryptographic keys that provide protection for Secure Boot.
Secure Boot became an industry standard in 2012, when it was realized that malware could infect the BIOS, the set of low-level firmware that runs before the operating system boots. Researchers from Binarly announced yesterday that the Secure Boot protocol was completely compromised on more than 200 models of computers from Acer, Dell, Gigabyte, Intel, and Supermicro, because in 2022, a cryptographic key that ensures trust between the computer hardware and the firmware running on it was compromised in a GitHub repository. Binarly researchers discovered the leak in January 2023.
It soon became clear that over 300 more models of computers from almost all major manufacturers were at risk – 21 more keys were found with the marks “DO NOT SHIP” and “DO NOT TRUST”. These keys were created by AMI (American Megatrends Incorporated), one of the three largest developers of software that helps hardware manufacturers create their own UEFI firmware for specific configurations. The marks indicate that these keys were not intended for use in production products – they were supplied by AMI to current or potential customers for testing, but were actually used in production products. The problem affected Aopen, Foremelife, Fujitsu, HP, Lenovo and Supermicro.
Security experts recommend that these cryptographic keys be unique to each product line, or at least to each manufacturer. Ideally, they should even be rotated from time to time. In fact, the keys discovered by Binarly were used by more than a dozen different manufacturers over more than a decade. Identical test keys were found in both consumer PCs and servers; at least one was used by three different manufacturers. The company titled its discovery PKfail to highlight the industry’s failure to properly manage encryption keys, which puts the entire supply chain at risk. Bypassing Secure Boot protection means that any executable file on a vulnerable machine can be run before the OS even loads.
Smaller incidents have been reported before. In 2016, an AMI key marked “DO NOT TRUST” was found in Lenovo products, and the vulnerability CVE-2016-5242 was registered at the time. Last year, hackers from the Money Message group stole two MSI keys, which put 57 models of the company’s laptops at risk. Ars Technica sent inquiries to the companies mentioned in connection with PKfail and did not receive responses from all of them. Only Supermicro said that it had solved the problem by releasing BIOS updates. Intel, HP, Lenovo and Fujitsu gave very similar answers, noting that potentially vulnerable products had already been discontinued, sold and were no longer supported. Full list of vulnerable products Binarly published на GitHub.
If you notice an error, select it with your mouse and press CTRL+ENTER.