Secure Boot, a tool that’s built into hundreds of millions of PCs to keep them from loading unverified software via UEFI, is a fundamental cornerstone of modern computer security. It uses cryptographic signatures in hardware components to make sure that nothing connected to your PC can load up code that you (or at least the PC) haven’t verified. That’s why cryptographic key leaks are such a big deal.
Related: How to improve your Windows 11 security
Security research firm Binarly reports that leaked cryptographic keys have compromised hardware from several major vendors in the PC industry, including Dell, Acer, Gigabyte, Supermicro, and even Intel. Eight percent of firmware images released in the last four years are compromised, with 22 untrusted keys discovered immediately.
And according to an Ars Technica post, “more than 200 device models” from these vendors are affected by one particular key that was posted to an open GitHub repository in late 2022.
Binarly is calling the exploit “PKfail.” The meat and bones of the situation is that a lot of devices in both the consumer and B2B spaces are now vulnerable to attacks on the boot process. This is one of the most dangerous ways in which a computer can be compromised, though attacks do need to be particularly complex to succeed.
It’s the kind of exploit that state-sponsored hackers love, because it’s possible to target extremely specific devices and run code that’s almost undetectable once you get into Windows or a similar OS. (Larger-scale attacks on general users are also possible, but less likely.)
One of the more upsetting issues highlighted by the report is that several vendors actually shipped devices with firmware labeled “DO NOT TRUST” or “DO NOT SHIP,” indicating that they knew about the compromised state of the keys… and ignored it.
It should be easy enough for hardware vendors to update device firmware and remove the compromised binary files, though the breadth of the vulnerability means that some PCs could require multiple firmware updates to cover all affected components.
Binarly has created an online tool for PKfail detection that lets you scan firmware files to see if the corresponding devices are using the compromised keys. Ars Technica’s post goes into more depth and has a full list of the affected hardware models.
Perhaps the most disturbing revelation in all of this is that a single careless post, which was in no way malicious, can instantly make so many devices from so many manufacturers unsafe. And due to the nature of Secure Boot, there doesn’t seem to be any way to stop it from happening again aside from being extremely careful.
Further reading: Warning signs that your PC has been hacked
Author: Michael Crider, Staff Writer, PCWorld
Michael is a 10-year veteran of technology journalism, covering everything from Apple to ZTE. On PCWorld he’s the resident keyboard nut, always using a new one for a review and building a new mechanical board or expanding his desktop “battlestation” in his off hours. Michael’s previous bylines include Android Police, Digital Trends, Wired, Lifehacker, and How-To Geek, and he’s covered events like CES and Mobile World Congress live. Michael lives in Pennsylvania where he’s always looking forward to his next kayaking trip.
