Millions of Devices Vulnerable to 'PKFail' Secure Boot Bypass Issue

Attackers can bypass the Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors, because they all share a previously leaked cryptographic key used in the device startup process.

The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device's firmware and boot software.

Unfortunately, researchers from firmware security vendor Binarly discovered that the key had been publicly exposed in a data leak back in 2018. "This key was likely included in [AMI's] reference implementation with the expectation that it would be replaced with another safely generated key by downstream entities in the supply chain," Binarly said in a posting on the issue this week.

The PKFail Secure Boot Issue

What appears to have happened is that an original equipment manufacturer (OEM) used the AMI test key for firmware it produced for different Intel and ARM-based device makers. The result is there are potentially millions of consumer and enterprise devices around the world that are currently using the same compromised AMI PK during the secure bootup process, says Alex Matrosov, CEO and founder of Binarly. Affected vendors include Lenovo, HP, Asus and SuperMicro.

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," says Matrosov, who has dubbed the issue as "PKFail." The issue makes it easier for attackers to, among other things, deploy Unified Extensible Firmware Interface (UEFI) bootkits like last year's BlackLotus, which offer persistent kernel access and privileges.

"The fix is easy: the compromised key needs to be replaced, and device vendors need to ship a firmware update," Matrosov says. Several have already done so, he notes. However, in many cases — as with data center servers, for instance, or for systems used in critical applications — the firmware updates could take some time to be deployed.

"Exploitation of this issue is trivial in the case that the device is impacted," he says, pointing to a proof-of-concept exploit (PoC) that Binarly developed for PKFail. Matrosov recommends that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.

A Master Key and a Really Big Deal

The PKfail issue is a big deal because it makes it easy for hackers to bypass Secure Boot, which is like having a master key that unlocks many houses, said Rogier Fischer, CEO of Netherlands-based Hadrian in an emailed comment. "Since the same keys are used across different devices, one breach can affect many systems, making the problem widespread," he said.

PKFail is the only the latest manifestation of a problem that has been around for more than a decade, which is the tendency by OEMs and device-makers to use non-production and test cryptographic keys in production firmware and devices, Matrosov says. The AMI PK for instance was clearly meant to be treated as completely untrusted, and yet it ended up in devices from multiple vendors.

Binarly's report pointed to an incident in 2016 tracked as CVE-2016-5247, where security researchers discovered multiple Lenovo devices that shared the same AMI test PK. At the time, the National Vulnerability Database described the issue as allowing "local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key."

Ultimately, PKFail is a manifestation of poor cryptographic key management practices in the device supply chain, Binarly said in its report.

"This is a huge problem," Matrosov says. "If you think about an apartment complex where all the door locks have the same keys. If one key goes missing, it could create problems for everyone."