Now, I admit that my own password hygiene isn't always the best, though I'm long past the days of using “xxxxxx” for a few non-critical accounts under the reverse-psychology assumption that it's so obviously insecure that no one would bother trying it. I'm a genius, I know. But even I realize that a four-character password is a dead no-no.
And yet, that's exactly what was used to protect an encrypted file that was critical to the fundamental integrity of Secure Boot, a UEFI BIOS security layer designed to ensure that a device boots using only software trusted by the PC manufacturer itself.
Ars Technica reports that“Researchers at security firm Binarly have revealed that Secure Boot is completely compromised on over 200 models of devices sold by Acer, Dell, Gigabyte, HP, Intel, Lenovo, Supermicro, and others. The cause: a cryptographic key supporting Secure Boot on those models was compromised in 2022.” Oops.
A cryptographic key critical to Secure Boot that forms the root of trust anchor between the hardware device and the UEFI firmware running on it and is used by several hardware manufacturers has apparently been published online, protected only by a four-character password. Security firm Binarly detected the leak in early 2023 and has now released the leak. published a comprehensive report describing the chronology and development of the problem.
Part of the problem, as we understand it, is that device makers are basically using the same old keys over and over again. To quote Binarly, the security flaw implies that “there is no rotation of platform security cryptographic keys per product line. For example, the same cryptographic keys were confirmed on client- and server-related products. Similar behavior was detected with the Intel Boot Guard reference code key leak. The same OEM used the same platform security-related cryptographic keys for firmware produced for different device manufacturers. Similar behavior was detected with the Intel Boot Guard reference code key leak.”
The report includes a list of hundreds of machines from the aforementioned brands that have been compromised by the leak. For the record, some of those systems include Alienware desktops and gaming laptops. Security experts say that for those devices using the compromised key, it represents an unfettered bypass of Secure Boot that allows malware to run during system boot. Only a direct firmware update for each device can protect the affected devices.
All that said, Ars Technica cites many of the brands involved, essentially stating that all relevant systems have been patched or taken out of service, which is presumably why Binarly is now publishing details of the security breach that would allow bad actors to take advantage of it.
All of this seems to indicate that this is now a historical problem rather than a real security risk. But it also highlights how easily even well-conceived security features can be undermined if they're not implemented properly. As one security expert interviewed by Ars put it, “The story is that the entire UEFI supply chain is a mess and hasn't improved much since 2016.”
Anyway, if you have any concerns, Click to view the full report and take a look to see if any of your devices are listed. If so, you most likely need to update your BIOS.
Leave feedback about this