HomeWinBuzzer NewsResearchers Find Malware-Threatening Secure Boot Bypass in Hundreds of Devices

Researchers Find Malware-Threatening Secure Boot Bypass in Hundreds of Devices

A critical vulnerability in Secure Boot has been discovered, allowing attackers to bypass security and install malware.

-

Experts with Binarly have pinpointed a vulnerability in Secure Boot, affecting more than 200 device models produced by several prominent manufacturers. This flaw is tied to a leak of cryptographic keys, impacting hardware from Acer, Dell, Gigabyte, Intel, and Supermicro.

History of Secure Boot

Secure Boot was introduced in 2012 to counter malware that embeds itself in BIOS, ensuring that only software with an approved digital signature can start during the boot process. Part of the Unified Extensible Firmware Interface (UEFI), this feature aims to prevent malware from running before the operating system and security software activate.

Security firm Binarly uncovered the compromised cryptographic key that's essential to Secure Boot. In 2022, a public repository revealed the key, uploaded by an employee tied to various US-based hardware makers. The repository contained the private section of the platform key, encrypted loosely with a weak four-character password, making it easy to crack.

Repercussions of the Breach

The compromised cryptographic key affects 215 device models, identifiable by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. This breach permits malware or unauthorized code to run during boot if privileged access is acquired, negating the protections Secure Boot is supposed to offer.

Additional investigation revealed more issues in the supply chain. Over 21 more platform keys marked as “DO NOT SHIP” or “DO NOT TRUST” were discovered, casting doubt on the Secure Boot integrity of over 300 other device models.

The PKfail Supply-Chain Issue

Dubbed PKfail, this vulnerability affects hundreds of UEFI products from 10 vendors, enabling attackers to bypass Secure Boot and install malware. The affected devices employ test Secure Boot “master keys” created by American Megatrends International (AMI), which should have been replaced by upstream vendors with their securely generated keys.

The UEFI device vendors used untrusted test keys across 813 products, including Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro. The first firmware vulnerable to PKfail was released in May 2012, with the latest in June 2024, making this one of the most enduring supply-chain vulnerabilities spanning over 12 years.

Recent Key Leaks

In May 2023, Binarly identified a supply chain security issue involving leaked Intel Boot Guard private keys, affecting multiple vendors. The Money Message extortion gang leaked MSI source code, which included signing private keys for 57 MSI products and Intel Boot Guard keys for 116 MSI products.

To address PKfail, vendors are advised to adhere to cryptographic key management best practices, such as using Hardware Security Modules, and to replace any test keys provided by BIOS vendors like AMI with securely generated keys.

SourceBinarly
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

Mastodon