• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Secure Boot is broken

winjer

Gold Member

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro.

The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it's not clear when it was taken down.

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one.

The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings “DO NOT SHIP” or “DO NOT TRUST.”



To test your UEFI: https://pk.fail/

If your system is vulnerable, go to the site of your manufacturer and check for a new UEFI version.
 

Northeastmonk

Gold Member
I never have secure boot enabled due to always using a fresh image and HP and Dell machines not liking it. Buying stock Dell machines will either two things: 1. secure boot is enabled and 2. The drive is an array oob. Secure Boot always caused issues with imaging in my experience.
 

Northeastmonk

Gold Member
Toaster user here. If secure boot is off, am I good or do I need to download the new UEFI version?
I don’t honestly think you need it unless you feel like you’re going to get hit with a rootkit attack. I don’t ever see it enabled and if it is it usually borks the OS from installing. I’ve dealt with bitlocker more than secure boot. I can’t think of anytime I’ve been asked about secure boot, especially with hipaa compliant customers. It’s usually bitlocker, password policy, and MFA.

In other words, I wouldn’t lose any sleep over it lol
 
I guess i passed that bullet

JRtxcOT.png
 

poppabk

Cheeks Spread for Digital Only Future
If it is off, you are not using secure boot at all. You're good.
How is that better. Maybe I am not understanding but the problem is that this makes a secure boot machine effectively not secure boot?
I’m gonna secure boot my ass over to Linux the second windows 10 support ends.
I am definitely not understanding - how is this a windows issue?
 
Last edited:

The_hunter

Member
How is that better. Maybe I am not understanding but the problem is that this makes a secure boot machine effectively not secure boot?

I am definitely not understanding - how is this a windows issue?
Your interpretation is right. I didn't mean that the fix is to turn off secure boot. I meant that if you don't use it in the first place, this doesn't effect you. My comment wasn't clear enough.
 

YeulEmeralda

Linux User
I do all my banking stuff with my phone these days the PC is just for gaming so I wouldn't even care if it gets malwared.
 

ShirAhava

Plays with kids toys, in the adult gaming world
Just tested this on both my WIndows and Linux rigs and I'm safe thankfully
 

ReBurn

Gold Member
Not directed at you per se, but If you don't know what you're doing then moving over to Linux isn't really going to help.
Seriously. Bootkit vulnerabilities exist in the Linux world, too. The designers of malware for Linux distros count on people who don't use secure boot or tpm, whether it be through ignorance or obstinace.
 

ReBurn

Gold Member
Ehhh. I'd trust a well secured PC over a phone. Android and iOS are terrible.
Understandable. PC's are certainly targeted more, but Android and iOS devices have had (and currently have) vulnerabilities that could be exploited to inject code into the boot chain. Security flaws are what continue to make jailbreaks possible.
 

Griffon

Member
So, let me see if I understand that properly.

If secure boot is off, you're not protected.
If secure boot is on but you're using one of those motherboards, you're not protected either.

So in the end it's like you don't have secure boot to begin with right?
 

ReBurn

Gold Member
How do i check if i have secure bot activated?

Go easy with the explanation, i'm a fucking noob.
I haven't done it it a while since it's almost always on by default, so it could have changed. But if you have Windows system you can press the Windows key and the R key at the same time to bring up the Run application. Then type msinfo32 and press enter. Under the system summary there should be a line that tells you whether it's on or off.
 

winjer

Gold Member
Hi,

How to obtain the binary file to be checked on the site please?

One way is to use a program like AFUWIN to dump the uefi.

The easiest way is to go to the manufacturer of your motherboard and download the file of the UEFI version you are using.
Then just upload it to the site and it will compare the keys in that UEFI with the broken keys.

A program like HWinfo or CPUZ will show the version of the current UEFI your PC is using.
 
Last edited:

kruis

Exposing the sinister cartel of retailers who allow companies to pay for advertising space.
How do i check if i have secure bot activated?

Go easy with the explanation, i'm a fucking noob.

See here for ways to check if you've got Secure Boot enabled.

Personally I don't see the point of Secure Boot in non business environments. The idea of Secure Boot is to prevent a hacker from booting an unrecognized OS/boot loader on your PC or adding custom UEFI boot drivers to your system. Well, for the first issue that hacker must have hands on access to your PC and there's nothing stopping that hacker from booting Windows or Linux from USB since those OSes are of course on the list of approved, safe operating systems. And if someone was able to secretly add malafide UEFI boot drivers on your PC, then you were already hacked.

Secure Boot makes sense in business or government environments where they handle top secret documents. You don't want a hacker to insert a USB drive into a PC, hack the UEFI BIOS and then have the PC run hacking code before the OS has even loaded. There it makes a lot of sense.

The downside of SecureBoot is that the list of approved operating systems is small and it's very, very hard to get on that list. At work I use iPXE as a way to boot multiple OSes from either the HD or the network in examination class rooms. The PC boots from the network, loads the iPXE file and shows a menu. Works great - but only with Secure Boot turned off since the iPXE boot loader is not on the approved list.
 
Last edited:

kensama

Member
One way is to use a program like AFUWIN to dump the uefi.

The easiest way is to go to the manufacturer of your motherboard and download the file of the UEFI version you are using.
Then just upload it to the site and it will compare the keys in that UEFI with the broken keys.

A program like HWinfo or CPUZ will show the version of the current UEFI your PC is using.
Ok but UEFI where it can be find cause on Asus site for my motherboard i can't get this.
 

kensama

Member
Should be on the support page for your motherboard. Then on the downloads section.


I have only this
 

winjer

Gold Member


I have only this

That 's it. The BIOS file.
Modern firmware is called UEFI. But some people and companies still refer to it as BIOS.
 

kensama

Member
That 's it. The BIOS file.
Modern firmware is called UEFI. But some people and companies still refer to it as BIOS.
ok but i got a file in zip and inside a .cap what to do with it?

That's ok i uploaded the .CAP file and it scan it

Result:

Hzx8czO.png
 
Last edited:
Top Bottom