"Secure Boot is completely broken on 200+ models from 5 big device makers"
From Ars Technica:
In 2012, an industry-wide coalition of hardware and software makers
adopted Secure Boot to protect against a long-looming security
threat. The threat was the specter of malware that could infect the
BIOS, the firmware that loaded the operating system each time a
computer booted up. From there, it could remain immune to detection
and removal and could load even before the OS and security apps did.
From Ars Technica:
In 2012, an industry-wide coalition of hardware and software makers
adopted Secure Boot to protect against a long-looming security
threat. The threat was the specter of malware that could infect the
BIOS, the firmware that loaded the operating system each time a
computer booted up. From there, it could remain immune to detection
and removal and could load even before the OS and security apps did.
The threat of such BIOS-dwelling malware was largely theoretical and
fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that
gains and maintains stealthy root access by subverting key
protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren't only feasible; they were
also powerful. In 2011, the threat became a reality with the
discovery of Mebromi, the first-known BIOS rootkit to be used in the
wild.
...
On Thursday, researchers from security firm Binarly revealed that
Secure Boot is completely compromised on more than 200 device models
sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in
December of that year, someone working for multiple US-based device manufacturers published what?s known as a platform key, the
cryptographic key that forms the root-of-trust anchor between the
hardware device and the firmware that runs on it. The repository was
located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and
it's not clear when it was taken down.
The repository included the private portion of the platform key in
encrypted form. The encrypted file, however, was protected by a four- character password, a decision that made it trivial for Binarly, and
anyone else with even a passing curiosity, to crack the passcode and
retrieve the corresponding plain text. The disclosure of the key went
largely unnoticed until January 2023, when Binarly researchers found
it while investigating a supply-chain incident. Now that the leak has
come to light, security experts say it effectively torpedoes the
security assurances offered by Secure Boot.
?It?s a big problem,? said Martin Smolár, a malware analyst
specializing in rootkits who reviewed the Binarly research and spoke
to me about it. ?It?s basically an unlimited Secure Boot bypass for
these devices that use this platform key. So until device
manufacturers or OEMs provide firmware updates, anyone can basically?
execute any malware or untrusted code during system boot. Of course, privileged access is required, but that?s not a problem in many
cases.?
Binarly researchers said their scans of firmware images uncovered 215
devices that use the compromised key, which can be identified by the certificate serial number
55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at
the end of this article lists each one.
Full article, apparently not behind a paywall: <https://arstechnica.com/security/2024/07/secure-boot-is-completely- compromised-on-200-models-from-5-big-device-makers>
From Ars Technica:It smacks of this being done on purpose.
Full article, apparently not behind a paywall:
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers
Interesting. I've never been clear about how much this matters.
I turned off secure boot after Suse15 messed it up by installing
a bad shim. I still can't say that I really understand that, but I
haven't worried about it. So I guess it's reassuring to know that
it was a safe with no back wall all along. :)
I don't use Secure Boot, so this is irrelevant at the moment.
To verify that the Secure Boot DB update was successful, open an Admin PowerShell
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 361 |
Nodes: | 16 (2 / 14) |
Uptime: | 123:18:19 |
Calls: | 7,716 |
Files: | 12,861 |
Messages: | 5,727,955 |