Cybersecurity experts at Binarly have discovered that the Secure Boot protocol used in UEFI firmware has been compromised on more than 200 PC models and servers from the world’s largest manufacturers. The cause of the problem is said to be the irresponsible attitude of manufacturers towards managing cryptographic keys that provide Secure Boot protection.
Secure Boot technology became an industry standard in 2012, when it was realized that malware could emerge that could infect the BIOS, a set of low-level firmware that runs before the operating system boots. The day before, researchers from Binarly announced that the Secure Boot protocol was completely compromised on more than 200 computer models manufactured under the brands Acer, Dell, Gigabyte, Intel and Supermicro, because in 2022 a cryptographic key that ensures trust was compromised in one of the GitHub repositories between the computer hardware and the firmware running on it. Binarly researchers discovered the leak in January 2023.
It soon became clear that more than 300 more computer models from almost all major manufacturers were at risk – another 21 keys were discovered marked “DO NOT SHIP” (“Do not ship”) and “DO NOT TRUST” (“Do not trust”). These keys were created by AMI (American Megatrends Incorporated), one of the three largest software developers that helps hardware manufacturers create their own UEFI firmware for specific configurations. The markings indicate that these keys were not intended for use on production products – they were supplied by AMI to current or potential customers for testing, but were actually used on production products. The problem affected Aopen, Foremelife, Fujitsu, HP, Lenovo and Supermicro.
Security experts recommend that these cryptographic keys be unique for each product line or, at a minimum, for each manufacturer. And ideally, they should even be changed from time to time. In reality, the keys discovered by Binarly were used by more than a dozen different manufacturers for over a decade. Identical test keys were found in both consumer PCs and servers; and at least one was used by three different manufacturers. The company titled its discovery PKfail to highlight the failure of the entire industry to properly manage encryption keys, resulting in a threat to the entire supply chain. Bypassing Secure Boot protection means the ability to run any executable files on a vulnerable machine before the OS loads.
Incidents of a smaller scale have been reported before. In 2016, an AMI key marked “DO NOT TRUST” was discovered in Lenovo products; then the vulnerability CVE-2016-5242 was registered. Last year, Money Message hackers stole two MSI keys, putting 57 of the company’s laptop models at risk. Ars Technica sent inquiries to the companies mentioned in connection with PKfail and did not receive responses from all of them. Only Supermicro said they solved the problem by releasing BIOS updates. Intel, HP, Lenovo and Fujitsu gave very similar responses, noting that the potentially vulnerable products have already been discontinued, sold and no longer supported. Binarly published a complete list of vulnerable products on GitHub.