PKfail, Critical Firmware Supply-Chain Issue Let Attackers Bypass Secure Boot

Hackers often attack secure boot during the boot process to execute unauthorized code, which gives them the ability to bypass a system’s security measures.

By compromising Secure Boot, they can install rootkits and malware at a low level, gaining persistent control over the system and evading traditional security defenses.

The Binarly Research Team discovered a significant supply chain security issue, code-named “PKfail,” in 2023. It involved leaked private keys of Secure Boot’s Platform Key (PK) from AMI AMI. 

PKfail is a failure of the firmware supply chain that affects more than 10% of UEFI ecosystem devices.

It comes from using untrusted Platform Keys (PK) generated by Independent BIOS Vendors and shared across different manufacturers.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

PKfail Firmware Supply-Chain Issue

This occurrence affected many vendors of devices, such as manufacturers of enterprise products based in the United States, and exposed weak cryptographic practices plus non-production keys used on production firmware.

This problem affects various product lines and manufacturers, just as it did with a previous Intel Boot Guard key leak.

In response to this, Binarly developed PK.fail, a free scanning tool to identify vulnerable devices and malicious payloads. They also worked with CERT/CC on responsible disclosure and mitigation strategies.

PKfail vulnerability was detected in certain Dell products like XPS 8960 Desktop during Binarly’s collaborative disclosure process.

It was found that these devices initialized Secure Boot variables with AMI’s default non-production Platform Key (PK), consequently making them vulnerable to attacks.

To this effect, NVRAM variables were analyzed from live firmware dumps to confirm the exploit. However, Dell had an effective mitigation strategy in some others.

The module DellSecureBootSmm {d54a91f0-4547-4380-8890-17c19937f853} mitigates this by changing AMI’s default values into hard-coded Dell-specific Secure Boot variables within the module’s data section.

This is due to two different approaches used across Dell’s product line, which highlight how difficult it is for the company to ensure security consistency among diverse product lines.

This report emphasizes the critical importance of proper cryptographic key management in firmware security and highlights how vendor-researcher collaboration can help identify and solve complex security problems.

Besides this, Binarly’s scan revealed 22 different untrusted keys, the most frequently occurring of which was American Megatrends International’s test key.

This cross-silicon problem highlights the importance of cryptographic key management in firmware supply chains and advocates for replacing test keys with securely generated ones, perhaps using hardware security modules.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo