Cybersecurity researchers at Binarly have uncovered alarming new details about the PKfail vulnerability, initially discovered in the UEFI supply chain last summer. The problem is far more widespread and severe than originally anticipated, potentially compromising the security of millions of devices worldwide.
The Scope of the PKfail Vulnerability
According to Binarly’s latest findings, approximately 8.5% of all firmware images utilize test cryptographic keys that are either publicly known or have been exposed through data leaks. This revelation suggests that a vast number of devices with Secure Boot enabled are vulnerable and should be considered potentially compromised.
The PKfail vulnerability affects hundreds of device models from major manufacturers, including Acer, Dell, HP, Intel, Lenovo, and Supermicro. The problem stems from the use of cryptographic test “master keys” for Secure Boot, also known as Platform Keys, created by American Megatrends International (AMI).
The Root Cause: Misuse of Test Keys
These test keys, marked as “DO NOT TRUST,” were never intended for use in production systems. AMI provided them to clients and potential buyers for testing purposes, with the expectation that manufacturers would replace them with their own securely generated keys. However, this crucial step was often overlooked.
Binarly’s researchers found that keys labeled “DO NOT SHIP” and “DO NOT TRUST” are being used in 813 different products. Many of these test keys have been part of data breaches, making them known to potential attackers.
Implications of the Vulnerability
The exploitation of PKfail allows attackers with access to vulnerable devices and the private part of the Platform Key to bypass Secure Boot. This breach enables manipulation of key databases and potentially allows malicious code to be signed and deployed as UEFI malware, similar to known threats like CosmicStrand and BlackLotus.
Widespread Impact Across Industries
Binarly’s scanning tool, launched at pk.fail, has identified 791 vulnerable firmware images out of 10,095 scanned. The researchers now know of 972 vulnerable devices and have discovered four new test keys previously unseen.
The vulnerability has been found in a wide range of devices, including:
- Medical equipment
- Desktop computers and laptops
- Gaming consoles
- Corporate servers
- ATMs and POS terminals
- Voting machines
Most problematic keys are associated with AMI and its competitors, including Insyde, Phoenix, and Supermicro. Alarmingly, Insyde keys generated in 2011 are still in use in modern devices, contrary to earlier assumptions that they would only be found in rare and outdated systems.
Industry Response and Mitigation
While many manufacturers have responded proactively to the PKfail threat, not all have issued timely security advisories. Dell, Fujitsu, Supermicro, Gigabyte, Intel, and Phoenix have released security bulletins addressing PKfail.
Many manufacturers have already released patches or firmware updates to remove and replace vulnerable keys. Users are strongly advised to check for updates from their device manufacturers and install any PKfail-related fixes as soon as possible.
The cybersecurity community remains vigilant as Binarly continues to investigate the full extent of the PKfail vulnerability. With the problem proving more pervasive than initially thought, it’s crucial for both manufacturers and end-users to take prompt action to secure their devices and mitigate this significant threat to UEFI Secure Boot integrity.
