September 17, 2024 at 09:32AM
Roughly 9% of tested firmware images use non-production cryptographic keys, making Secure Boot devices vulnerable to UEFI bootkit malware attacks. Known as ‘PKfail’, this supply chain attack affects various computer manufacturers and has been addressed by Binarly, who released a “PKfail scanner” to identify vulnerable firmware submissions. Vendors are taking proactive measures to respond.
It seems that the meeting notes discussed the PKfail vulnerability, which affects Secure Boot devices due to the use of non-production cryptographic keys. The vulnerability potentially leaves devices susceptible to UEFI bootkit malware attacks. Binarly discovered the issue in late July 2024 and released a “PKfail scanner” which has found 791 vulnerable firmware submissions out of 10,095. The impact of PKfail extends to various devices including medical devices, desktops, laptops, gaming consoles, enterprise servers, ATMs, POS terminals, and even voting machines.
The vulnerable submissions mainly include keys from AMI, Insyde, Phoenix, and Supermicro, and it was noted that some older keys, such as Insyde keys generated in 2011, are still used in modern devices. The community has also confirmed that PKfail impacts specialized devices from Hardkernel, Beelink, and Minisforum.
In response to PKfail, some vendors have been proactive and swift in releasing patches or firmware updates to remove vulnerable Platform Keys or replace them with production-ready cryptographic materials. Additionally, advisories about the security risk related to PKfail are available from vendors such as Dell, Fujitsu, Supermicro, Gigabyte, Intel, and Phoenix. It was recommended that if a device is no longer supported and is unlikely to receive security updates for PKfail, physical access to it should be limited and it should be isolated from more critical parts of the network.