Binarly warns of vulnerability allowing hackers with physical access to devices to install UEFI malware
Take action: If you are developing any code that requires assymetric keys, NEVER use the demo key supplied with the documentation. Always create your own private/public key pair, and store the private component securely in KMS/HSM system. Never EVER hardcode the key in source code. For all users, update your firmware because even if you do have all encryption and antivirus on your computer, a hacker with physical access can inject malware that is trusted by the firmware, thus bypassing all protections when the computer starts up.
Learn More
Binarly researchers are warning aboyt a vulnerability dubbed PKfail. It represents a firmware supply-chain issue that undermines Secure Boot, a key security feature in the UEFI ecosystem designed to ensure that only trusted software is loaded during the boot process.
The vulnerability affects over 200 device models from numerous prominent vendors and stems from weaknesses in managing Platform Keys (PKs),
Secure Boot depends on asymmetric encryption. The UEFI protocol uses assymetric keys to verify trusted bootup components and check that components aren't on a blacklist. At the root of the process is the "Platform Key," the public-private key that starts the chain of trust.
Binarly discovered that hundreds of products use a test Platform Key which was generated by American Megatrends International (AMI). Test keys are shared with commercial partners and vendors, so they must be treated as completely untrusted. The AMI test key was likely included in their reference implementation with the expectation that it would be replaced with another safely-generated key. It was labeled as "do not trust" / "do not ship".
Even worse, the private component of the test key was discovered in a data leak, where an alleged employee published the source code containing the PK on a public GitHub. The key serial number is 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4.
Any hacker with access to the key pair - and privileged access to a computer - could use that key to poison the signature databases for trusted and untrusted software allowed to power on during bootup. Binarly identified more than 200 affected devices, including products made by Acer, Dell, Gigabyte, Intel, Lenovo and Supermicro. Both x86 and ARM devices are affected by PKFail.
The first vulnerable firmware was released in May 2012, with the latest in June 2024, affecting a wide range of devices from consumer laptops to enterprise servers.
Some vendors have released firmware that replaces the compromised Platform Key, but it's not clear how many customers have updated their computer firmware.
Vendors must update their firmware to ensure test keys from IBVs are replaced with securely generated keys, then never use test keys that are leaked. The private component of the Platform Key must be stored securely, such as in Hardware Security Modules (HSMs).
Users can only hope for update of their laptop firmware, and then apply it. Also, they should safeguard their physical devices from theft.
