New vulnerability affects over 200 PC models from major brands
A new vulnerability, known as PKfail, has compromised Secure Boot, a security standard developed by the PC industry. Cybersecurity firm Binarly reported that this breach, caused by a leaked cryptographic key, has affected over 200 product models from several major brands. The leak originated from an employee who accidentally posted source code containing the encrypted platform key for Secure Boot on a public GitHub repo in late 2022. The code was protected with a 4-character password that was easily cracked.
Dell and Intel among brands impacted by the breach
The compromised platform key, discovered by Binarly in January 2023, was found to be reused across hundreds of product lines from major tech brands such as Acer, Dell, Gigabyte, Intel, and Supermicro. The vulnerability affects both x86 and Arm devices. This breach allows malicious actors to bypass Secure Boot by signing malicious code and loading harmful firmware implants like BlackLotus.
Microsoft's Secure Boot requirement raises concerns
Microsoft's decision to make Secure Boot a requirement for Windows 11 has sparked concerns in light of these findings. The company has been advocating this technology for years to protect systems against BIOS rootkits. Binarly's analysis of UEFI firmware images dating back to 2012 revealed that over 10% were impacted by using these untrusted keys instead of manufacturer-generated secure ones as intended. In the past four years alone, 8% of firmware still had this issue.
Supply chain failures exposed
The incident has exposed significant supply chain failures and highlighted how some vendors have mishandled critical platform security. Issues include reusing the same keys across consumer and enterprise device lines, shipping products with non-production cryptographic material, and failing to rotate keys regularly. Binarly pointed out these security problems related to device supply chain security that led to this breach.
Binarly advises on mitigating Secure Boot vulnerability
Binarly urges device owners and IT administrators to check if their equipment is listed in their vulnerability advisory and promptly apply any related firmware patches from their vendor. The firm also recommends that device vendors follow best practices for cryptographic key management, such as using Hardware Security Modules, and replace any test keys provided with securely generated keys.