WTF?! If you thought your laptop, desktop, or server was protected by Secure Boot, think again. A new vulnerability dubbed “PKfail” has left Secure Boot wide open on hundreds of PC and devices across several major tech brands. Researchers at cybersecurity firm Binarly just dropped a bombshell report showing how a leaked cryptographic key has essentially nuked the security guarantees of Secure Boot for over 200 product models.
Secure Boot is a security standard created by PC industry members to ensure that a device can only boot up using software verified and trusted by the respective OEM. This new security breach stems from someone working for multiple US manufacturers accidentally leaking the “platform key” for Secure Boot in late 2022.
This key is the critical root-of-trust that underpins the entire Secure Boot process on devices from vendors like Acer, Dell, Gigabyte, Intel, and Supermicro. According to a report from Ars Technica, an employee posted source code containing the encrypted platform key to a public GitHub repo. They protected it with a laughably weak 4-character password that was easily cracked.
While the leak initially flew under the radar, Binarly’s researchers stumbled upon it in January 2023. Their findings reveal that this compromised platform key was being disturbingly reused across hundreds of different product lines from multiple big-name tech brands. It’s also a cross-silicon issue, as it affects both x86 and Arm devices.
Essentially, this means malicious actors can bypass Secure Boot by signing malicious code and load up nasty firmware implants like the infamous BlackLotus. The findings are especially concerning given Microsoft has made Secure Boot a requirement for Windows 11 and has been pushing the technology for years to secure systems against BIOS rootkits.
The fallout has been a decade in the making, too. Binarly’s analysis of UEFI firmware images stretching back to 2012 found over 10% were impacted by using these untrusted keys, instead of manufacturer-generated secure ones as intended. Even looking at just the past 4 years, 8% of firmware still had the issue.
This is a brutal supply chain failure, exposing how sloppily some vendors have handled critical platform security. Issues range from reusing the same keys across consumer and enterprise device lines, shipping products with non-production cryptographic material, and failing to rotate keys regularly. Binarly highlighted these security problems related to device supply chain security that led to this breach.
For device owners and IT admins, Binarly advises first checking if your equipment is listed in their vulnerability advisory and quickly applying any related firmware patches from your vendor.
Furthermore, the firm notes that device vendors should ensure they generate and manage the platform key following best practices for cryptographic key management, such as using Hardware Security Modules. They should also replace any test keys provided with securely generated keys.
Masthead credit: FlyD