Now, I’ll admit my own password hygiene isn’t always the best, though I have graduated from the days when I used “xxxxxx” for a few non-critical accounts under the reverse psychology assumption that it’s so obviously insecure, nobody would bother trying it. Genius, I know. But even I realise a four-character password is a big no-no.
And yet that’s exactly what was used to protect an encrypted file that was critical to the fundamental integrity of the Secure Boot, a UEFI BIOS security layer designed to ensure that a device boots using only the software that is trusted by the PC maker itself.
Ars Technica reports that, “researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, HP, Intel, Lenovo, Supermicro and others. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022.” Ouch.
Apparently, a critical cryptographic key for Secure Boot that forms the root-of-trust anchor between the hardware device and the UEFI firmware that runs on it and is used by multiple hardware manufacturers was published online, protected only by a four-character password. Security outfit Binarly spotted the leak in early 2023 and has now published a full report outlining the timeline and development of the problem.
Part of the problem, as we understand it, is device makers basically using the same old keys over and over again. To quote Binarly, the security failure involves, “no rotation of the platform security cryptographic keys per product line. For example, the same cryptographic keys were confirmed on client and server-related products. Similar behavior was detected with Intel Boot Guard reference code key leakage. The same OEM used the same platform security-related cryptographic keys for firmware produced for different device manufactures. Similar behavior was detected with Intel Boot Guard reference code key leakage.”
The report includes a list of hundreds of machines from the brands mentioned above that have all been compromised by the leak. For the record, some of those systems include Alienware gaming desktops and laptops. Security experts say that for those devices that use the compromised key, it represents an unlimited Secure Boot bypass allowing malware to be executed during system boot. Only a direct firmware update for each device can secured affected devices.
All that said, Ars Technica quotes many of the brands involved essentially claiming that all of the relevant systems have now either been patched or taken out of service, which is presumably why Binarly is now publishing details of the security breach that would allow bad actors to take advantage of it.
That all seems to indicate that this is now a historical problem rather than a live security risk. But it also underlines how easily even well-conceived security features can be undermined if not implemented properly. As one security expert interviewed by Ars said, “the story is that the whole UEFI supply chain is a hot mess and hasn’t improved much since 2016.”
Anyway, if you have any concerns, hit up the full report and have a looksee if any of your devices appear. If they do, a BIOS update is very likely in order.