Facepalm: Binarly analysts have issued a new warning just a couple of months after unveiling a security issue related to compromised platform keys used to enforce Secure Boot protection. The PKfail problem affects a significantly larger pool of devices and brands, and is not limited to firmware products developed by AMI.
The PKfail incident shocked the computer industry, exposing a deeply hidden flaw within the core of modern firmware infrastructure. The researchers who uncovered the issue have returned with new data, offering a more realistic assessment of the current state of firmware security. According to them, the situation is dire, and the industry must undergo a significant modernization effort.
At the end of August 2024, PKfail was finally assigned a tracking ID within the CVE system. The CVE-2024-8105 flaw describes a critical supply chain vulnerability affecting UEFI firmware and Secure Boot (SB). The "master key" used to protect the Secure Boot process from untrusted code, also known as the "Platform Key" (PK), serves as the primary anchor for the SB Root of Trust.
Binarly analysts discovered that a compromised PK was leaked and shared on GitHub in 2022. Additionally, computer manufacturers have been using test keys marked "DO NOT TRUST" in their certificates to sign firmware releases that were later shipped in final products. Major device manufacturers – including Dell, Acer, Gigabyte, Intel, Supermicro, HP, Lenovo, and others – have been using these inherently insecure keys for years, without anyone being aware of the issue.
After revealing the PKfail fiasco, Binarly launched the pk.fail detection service, allowing customers to check their own firmware images. According to the latest data from the security company, over 10,000 unique firmware images have been uploaded to the service so far. These tests helped identify 791 flawed firmware releases containing an untrusted Platform Key, with an estimated vulnerability rate of 8.5 percent.
The free detection service also allowed Binarly to uncover the true scope of the PKfail incident. While firmware versions from AMI still accounted for the majority of vulnerable products, new, previously unknown firmware images from other manufacturers such as Insyde and Phoenix were also affected.
In addition to desktops, servers, and laptops, Binarly researchers found PKfail and non-production firmware keys in unexpected places, including voting machines, medical devices, gaming consoles, ATMs, and POS terminals. The most frequently used key was the one "accidentally" leaked on GitHub in 2022, but the pk.fail service also uncovered four more untrusted keys that had previously gone undetected.
Cybercriminals and state-sponsored hackers could exploit these unsecure keys to sign dangerous rootkits and espionage tools capable of bypassing Secure Boot's protections. "The complexity of the supply chain is overgrowing our ability to effectively manage the risks associated with third-party suppliers," Binarly remarked. However, these risks can be mitigated if the tech industry adopts a secure-by-design development philosophy.