Hundreds of laptop and server models from mainstream manufacturers are currently facing a security risk due to a leaked asymmetric key that compromises the Secure Boot protections, which are meant to ensure only trusted software can load during computer bootup. Researchers from California supply chain startup Binarly have identified this vulnerability, which they have named PKfail, in motherboards developed with kits made by American Megatrends International.
The vulnerability allows malware to be loaded during bootup, enabling hackers to evade detection by antivirus applications and survive operating system reinstalls. The Unified Extensible Firmware Interface (UEFI) bootup standard, controlled by a consortium of hardware manufacturers and operating systems developers, includes Secure Boot specifications to ensure the integrity of the boot process. However, vulnerabilities like PKfail highlight the challenges in securing this critical layer of computing.
The flaw in question originated from an AMI cryptography key that was mistakenly published on a GitHub repository in December 2022. While the key was encrypted, it was protected by a simple four-character password, making it easy to decrypt. This key is crucial for Secure Boot, as it serves as the platform key that initiates the trust chain for verifying boot components and checking against blacklisted software.
Binarly’s research identified more than 200 affected devices, including products from well-known manufacturers such as Acer, Dell, Gigabyte, Intel, Lenovo, and Supermicro. Both x86 and ARM devices are vulnerable to PKfail, which underscores the widespread impact of this security flaw. Interestingly, the leaked AMI platform key was labeled as “do not trust” or “do not ship,” indicating that it was intended for testing purposes and device vendors were expected to replace it with their own key pair.
AMI, one of the major commercial UEFI vendors, has stated that they will continue to provide “test” platform keys to customers but have implemented additional safeguards to mitigate the risk of using these keys in production firmware. Despite efforts to address the issue, researchers have observed similar instances of untrusted platform keys in UEFI firmware from as far back as 2012, raising concerns about the persistence of this vulnerability over time.
In response to the PKfail research, some manufacturers have reassured customers that their systems are not affected or that vulnerable devices are no longer in use. Lenovo, HP, Fujitsu, and Intel have all provided statements regarding the status of devices impacted by PKfail. Supermicro, on the other hand, acknowledged the issue in older systems and indicated that BIOS updates have been released to remediate the platform key issues.
Unfortunately, there is little that individual users can do to protect against PKfail other than ensuring secure access to their machines and applying any available firmware updates addressing the vulnerability. Binarly has set up a website where users can upload firmware binaries to check for PKfail, offering a proactive approach for detecting potential compromises in their systems.
Overall, the PKfail security flaw highlights the ongoing challenges in securing the firmware layer of computers and underscores the importance of rigorous testing and oversight in the development and deployment of UEFI systems. As researchers continue to uncover vulnerabilities in secure boot mechanisms, manufacturers and developers must remain vigilant in addressing these issues to protect users from potential exploits and breaches.
Albanian 
English 
Serbian 
Croatian 