Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
The threat of such BIOS-dwelling malware was largely theoretical and fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that gains and maintains stealthy root access by subverting key protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren't only feasible; they were also powerful. In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.
Keenly aware of Mebromi and its potential for a devastating new class of attack, the Secure Boot architects hashed out a complex new way to shore up security in the pre-boot environment. Built into UEFI—the Unified Extensible Firmware Interface that would become the successor to BIOS—Secure Boot used public-key cryptography to block the loading of any code that wasn't signed with a pre-approved digital signature. [...]
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it's not clear when it was taken down.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
[...] The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST."
[...] People who want to know if their Windows device uses one of the test platform keys can run the following powershell command:
> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"
TrueLinux users can detect one of the test certificates by displaying the content of the PK variable:
$ efi-readvar -v PK
Variable PK, length 862
PK: List 0, type X509
Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-
fbf883bbb35e
Subject:
CN=DO NOT TRUST - AMI Test PK
Issuer:
CN=DO NOT TRUST - AMI Test PKThere's little that users of an affected device can do other than install a patch if one becomes available from the manufacturer. In the meantime, it's worth remembering that Secure Boot has a history of not living up to its promises. The most recent reminder came late last year with the disclosure of LogoFAIL, a constellation of image-parsing vulnerabilities in UEFI libraries from just about every device maker. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.
"My takeaway is 'yup, [manufacturers] still screw up Secure Boot, this time due to lazy key management,' but it wasn't obviously a change in how I see the world (secure boot being a fig leaf security measure in many cases)," HD Moore, a firmware security expert and CTO and co-founder at runZero, said after reading the Binarly report. "The story is that the whole UEFI supply chain is a hot mess and hasn't improved much since 2016."
The 215 affected devices are listed at the end of TFA.
(Score: 5, Insightful) by Deep Blue on Monday July 29 2024, @07:05PM (7 children)
It was never about security, it was about monopoly.
(Score: 3, Interesting) by aafcac on Monday July 29 2024, @08:10PM
The issue with things like this is that there's only so far you can go. A system where you can boot into an alternate mode which can verify the checksum of key files would probably be more effective. But, there's a bunch of issues that come from things like how often system files need to be patched these days to keep up with security flaws and updating the chip that has the verification functions built in.
It would be far better to start actually forcing commercial software vendors to simplify their systems, at least as far as the core features go, so that there's less attack surface and have the NSA focus on ensuring that the exploits are known about.
(Score: 4, Funny) by darkfeline on Monday July 29 2024, @10:19PM (2 children)
The article, nay, summary, literally says
> In 2012, an industry-wide coalition [...] adopted Secure Boot to protect against [...] malware that could infect the BIOS
> In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.
Are you a karma farming bot? Honest question.
Join the SDF Public Access UNIX System today!
(Score: 3, Funny) by Deep Blue on Tuesday July 30 2024, @12:14PM
Am not karma farming bot, you are. I don't even know what that is and why that would be a thing. Damn, now i wish i was a bot.
"Industry-wide coalition", hmm, MS and Intel said: you do as we tell you or your products won't work no moar.
(Score: 2) by Freeman on Tuesday July 30 2024, @03:03PM
One palm greases the other. It's about the "security" and then you see things like this happening. Don't worry, some just ship it with infected bios to begin with. It's not been all that long since Lenovo was shipping Adware/Malware with their computers. Now It's THREE Pre-Installed Malwares on Lenovo Laptops [makeuseof.com]
In any case, it's never about "the security" rather it's "always about the money". Assuming someone can be convinced that having security means more money, you've won the battle.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Snotnose on Monday July 29 2024, @11:12PM (1 child)
The biggest impact it had on me was it made it a real bitch to dual-boot Linux on a couple laptops.
Is anyone surprised ChatGPT got replaced by an A.I.?
(Score: 5, Insightful) by Kell on Tuesday July 30 2024, @01:45AM
Working as intended.
Scientists ask questions. Engineers solve problems.
(Score: 2) by mcgrew on Wednesday July 31 2024, @01:29PM
Indeed. I attempted to install Mint on my newest notebook because I came to absolutely HATE Windows 11. I first went into the BIOS (or whatever they call it now) and saw nothing except that it was graphical!
Linux seemed to install easily and perfectly, but on boot, Windows loaded. There was no GRUB. Now its hard drive is half its size. Linux simply won't run on it!
The more I learn, the more I realize how abysmally ignorant I am.
(Score: 3, Informative) by vux984 on Monday July 29 2024, @07:12PM (5 children)
For anyone wanting a copy-pasteable version; and run powershell as administrator
(Score: 0) by Anonymous Coward on Monday July 29 2024, @08:34PM (1 child)
10.0.22621 N/A Build 22621
(Score: 4, Interesting) by vux984 on Monday July 29 2024, @09:13PM
If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet displays the following:
https://learn.microsoft.com/en-us/powershell/module/secureboot/get-securebootuefi?view=windowsserver2019-ps [microsoft.com]
(Score: 5, Funny) by PiMuNu on Tuesday July 30 2024, @07:38AM (2 children)
What's powershell? Is it some update to bash?
(Score: 4, Informative) by stormreaver on Tuesday July 30 2024, @12:39PM
Powershell is a derivative of LISP, which is downright readable by comparison.
(Score: 2) by Freeman on Tuesday July 30 2024, @03:06PM
Powershell is the windows command prompt replacement that Microsoft wishes they could just do already.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by VLM on Monday July 29 2024, @09:50PM
So, instead of corporations, governments, and three letter agencies having access to the general public's keys, the general public now have access to their own keys.
I don't think much is going to change.
(Score: 4, Insightful) by darkfeline on Monday July 29 2024, @10:27PM
Let us practice some critical thinking.
This is not a problem with Secure Boot. This is a problem with the key management for a subset of keys/manufacturers.
And what is the impact of this? You can run whatever boot binaries you want, just like if Secure Boot didn't exist. If you hated Secure Boot, then you should be happy about this.
This is the same as root exploits; it's a security issue that give power (and thus responsibility) back to the user. Well, you could have installed a custom Secure Boot key anyway, but y'know, maybe you're too lazy.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Tuesday July 30 2024, @12:46AM
(Score: 5, Insightful) by Subsentient on Tuesday July 30 2024, @12:50AM (1 child)
Hardware BIOS write protect DIP switch or button to hold when booting, only usable for flashing firmware.
"But muh vendors can't ship BIOS updates automatically then!"
Good.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by ShovelOperator1 on Wednesday July 31 2024, @11:00AM
Or even easier and cheaper: A must-install screw - usually in one of popular screw holes with which the mainboard is kept in the casing, frequently the bottom-right corner (having power upwards, slots downwards) is free of cables for easier removal. Install m/b in the casing, the m/b is protected. Remove screw - the write line gets "ungrounded" and chip can be flashed.
Automatic BIOS updates are evil and should be turned off. There is no certainty it will reliably work, many times it breaks compatibility, and it gives the full control of the hardware by manufacturer. I have seen a Dell notebook (corporate version with custom management, there was even a serial-over-ethernet in it) which happily flashed a 404 page into its BIOS. I was amazed when I dumped the chip, as CRC should protect it... except that in this model and in this management mode you could flash an entire BIOS like You flash the configuration and then only the in-transit CRC was checked - it was only a matter of specifying the other address range and length.
Remember that in 2000s, when BIOS influenced the OS it was considered a rogue practice even if it was only adding the support site link to the bookmarks (see PhoenixNet BIOSes). As BIOS is on a lower level than OS, it should still be considered dangerous as who knows what the company will put there next time (PhoenixNet ended with a Windows binary which opened web browser on the vendor's page with ads).
(Score: 4, Insightful) by Rich on Tuesday July 30 2024, @01:12PM (1 child)
All I'd have to post on the topic has been posted and is modded at 5. I can only add that parroting the propaganda as-is ("In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS") reflects very badly on ars and their credibility. That wording is already close to the infamous "You'll get raped in a parking lot if people can repair things" piece.
(Score: 2) by The Vocal Minority on Wednesday July 31 2024, @05:24AM
Arse Technica hasn't had much credibility for a while now.