July 25th, 2024

Secure Boot is completely broken on 200 models from 5 big device makers

Researchers from Binarly found that Secure Boot is compromised on over 200 device models due to a leaked cryptographic key, posing significant security risks until manufacturers issue firmware updates.

Read original articleLink Icon
Secure Boot is completely broken on 200 models from 5 big device makers

Researchers from security firm Binarly have revealed that Secure Boot, a security feature designed to protect devices from malware, is compromised on over 200 models from major manufacturers including Acer, Dell, Gigabyte, Intel, and Supermicro. The issue stems from a cryptographic key that was leaked in 2022, which was published in a public GitHub repository. This key is crucial for establishing a secure connection between hardware and firmware. The repository contained the private portion of the platform key, protected by a weak four-character password, making it easy to crack. The compromised key allows unauthorized code to be executed during system boot, posing significant security risks until manufacturers issue firmware updates. Binarly's scans identified 215 devices using the compromised key, which can be recognized by a specific certificate serial number. Furthermore, the researchers found that the key compromise is part of a larger supply-chain issue affecting over 300 additional device models, with some keys marked as "DO NOT SHIP" or "DO NOT TRUST." This situation raises serious concerns about the integrity of Secure Boot across a wide range of devices, highlighting the challenges of revoking compromised keys without rendering many devices unusable. Security experts emphasize the urgency for manufacturers to address these vulnerabilities to restore trust in Secure Boot's protective capabilities.

Link Icon 21 comments
By @snailmailman - 5 months
I’ve had so many issues with secure boot on my machines causing issues that if I ever saw a secure boot error message I would never think “oh I must have a rootkit”

Instead I would assume, in order

- my config broke it

- OS update broke it

- the bios doesn’t properly handle any case that isn’t “preinstalled OEM windows”

I had a laptop that as far as I could tell, could only boot into windows’ default bootmgr.efi. I could turn off secure boot, and tamper with that efi to boot Linux, but it refused to acknowledge other boot loaders from within the bios. It wouldn’t surprise me in the slightest if secure boot isn’t properly handled. I’ve had too many issues with cheap computers having janky bioses.

By @drhagen - 5 months
> To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

Am I correct that Secure Boot purely exists to prevent this attack vector: malware gets root on the OS, hardware allows updating firmware via OS now owned by malware, but Secure Boot means you have to wipe only the hard drive instead of the firmware to eliminate the malware.

It seems like it would be a lot simpler and more reliable to add a button to motherboards that resets the firmware to the factory version (on memory that can't be written by a malicious OS).

By @Terr_ - 5 months
It sounds like the biggest contributory problems here are:

1. Allowing unattended/automatic BIOS updates from a running OS at all

2. Being so paranoid about attacks by a spy with physical access to the computer that the keys cannot be replaced or revoked

I'm not a security researcher, but to just shoot the breeze a bit, imagine:

1. The OS can only enqueue data for a proposed BIOS update, actually applying it requires probable-human intervention. For example, reboot into the currently-trusted BIOS, and wait for the user to type some random text shown on the screen to confirm. That loop prevents auto-typing by a malicious USB stick pretending to be a keyboard, etc.

2. Allow physical access to change crypto keys etc, but instead focus on making it easy to audit and detect when it has happened. For example, if you are worried Russian agents will intercept a laptop being repaired and deep-rootkit it, press a motherboard button and record a values from a little LED display, values that are guaranteed to change if someone alters the key set and/or puts on a new signed BIOS. If you're worried, they'll simply replace the chipwork itself, then you'd need a way to issue a challenge and see a signed verifiable response.

By @StillBored - 5 months
This big mistake though was back when all this was being enabled on PC's, the linux vendors out of fear that the rest of the industry would lock them out, standardized on shim and the MS certificates in the firmware. Thus requiring MS to sign the first stage of every linux install/boot rather than both doing that, as well as defaulting to an environment where the distros would boot in UEFI 'setup mode' enroll their own cert/key chains during the first provision/boot, and then permanently switch to user mode. Had they done that, this entire article would have been just about meaningless as all those test keys would have been replaced the moment the machine was installed.

So today a decade+ later there still isn't a standard way to automatically enroll a linux distribution's keys during initial install in any of the distributions (AFAIK).

By @jauntywundrkind - 5 months
It feels utterly absurd that devices typically have certain keys are baked in, cannot be removed. I believe there are still Microsoft keys on nearly every device?

It's unconscionable to tell users this is here to keep you safe, but that you have no control over it & if something goes wrong well then too bad, at best we might provide an update.

(Also that governments can probably force these root-of-trust companies to sign payloads to circumvent security is also pretty icky to me.)

By @rurban - 5 months
Previously in 2023 Intel lost it's private UEFI key on the MSI hack. https://news.ycombinator.com/item?id=35843566

This time it's AMI. Cannot get bigger.

By @renegat0x0 - 5 months
UEFI comes with SB, Microsoft introduces TPM, Google introduces WEI. They will will say it is for your benefit, and in part it is correct, but security can be achieved through many measures, and corporations will choose such solutions that will grant them more ability to control your device.

This leads to accumulation of "power", and monopolization of it in systems leads to vulnerability. One point of failure is enough to compromise entire ecosystem.

Just reminds me that apple checked every application you run, for "safety reasons" (rather checks app certificates, but that is nearly the same).

By @tedunangst - 5 months
"It's EOL so no fix" is pretty shitty. It was defective for its entire unsupported life as well.
By @rebolek - 5 months
It's a bit of surprise that most of the things work most of the time, given on how shaky basis are they build.
By @PennRobotics - 5 months
> ... key players in security—among them Microsoft and the US National Security Agency ...

This phrase does not sit well with me.

By @jokoon - 5 months
Isn't that a vulnerability that still requires physical access to hardware?

Or is that just a protection against rootkits?

I still fail to understand what secure boot is protecting against: if a machine is compromised remotely, does secure boot prevents installing a rootkit that's invisible from virus scanners?

By @tithe - 5 months
By @nightowl_games - 5 months
Seems apparent we need a Professional Engineering Certification process and our own disciplinary board similar to other engineering disciplines.

High time.

By @jandrese - 5 months
I know never to trust software written by hardware folks, but seriously, how do you ship a key where the CN is literally "DO NOT TRUST -- AMI Test PK" as the root security. That is outright malicious incompetence.
By @_trampeltier - 5 months
A bit oftopic but when last week came out, Cellebrite could open the Trump shooters phone, there was a PDF, they can brute force all android phones since from Android 7 or newer. What changed there? Why can they brute force all newer versions?

https://www.documentcloud.org/documents/24833831-cellebrite-...

By @EVa5I7bHFq9mnYK - 5 months
How do I check if my laptop is affected? Tried

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFIPK).bytes) -match "DO NOT TRUST|DO NOT SHIP"

, gives me cryptic errors and gpt of no help.

By @dathinab - 5 months
I just wanted to check if I'm affected.

...

then remembered I'm using custom platform keys

tbh. I don't understand why secure boot is build around global root of trusts instead of ad-hoc per device trust (i.e. like custom platform keys but with better support), at most supported by some global PKI to make bootstraping on initial setup easier

this would not eliminate but massively reduce how much "private key" got leaked vulnerabilities can affect secure boot chains (also move most complexity from efi into a user changeable chain loaders, including e.g. net boot, etc.)

PS:

To be clear " I don't understand why" is rhetorical, I do understand why and find it a terrible bad idea.

By @manofmanysmiles - 5 months
Unless I'm missing something, Secure Boot as designed is fundamentally broken.

Its root of trust is the BIOS/Firmware, which can be updated from a running OS. There is no hardware root of trust.

How Secure Boot Works

Secure Boot ensures that a device boots using only software trusted by the Original Equipment Manufacturer (OEM). Here's a high-level overview:

1. Power On and Initialization: The CPU initializes and runs the BIOS/UEFI firmware, which prepares the system for booting.

2. Platform Key (PK) Verification: The firmware verifies the Platform Key (PK), which is used to validate Key Exchange Keys (KEKs).

3. Key Exchange Keys (KEK) Verification: The KEKs validate the allowed (whitelist) and disallowed (blacklist) signature databases.

4. Signature Database Verification: The firmware checks the allowed (db) and disallowed (dbx) signature databases for trusted software signatures.

5. Bootloader Verification: The firmware verifies the bootloader’s signature against the db. If trusted, the process continues.

6. Kernel and Driver Verification: The bootloader verifies the OS kernel and critical drivers’ signatures.

7. Operating System Boot: Once all components are verified, the OS loads.

Apple Secure Boot Process

Apple adds hardware-based security with the Secure Enclave:

1. Secure Enclave Initialization: Separate initialization handles cryptographic operations securely.

2. Root of Trust Establishment: Starts with Apple's immutable hardware Root CA.

3. Immutable Boot ROM Verification: The boot ROM verifies the Low-Level Bootloader (LLB).

4. LLB Verification: The LLB verifies iBoot, Apple's bootloader.

5. iBoot Verification: iBoot verifies the kernel and its extensions. The Secure Enclave ensures cryptographic operations remain protected even if the main processor is compromised.

For more details, check out:

- <https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8...>

- <https://www.apple.com/business/docs/site/Security_Overview.p...>

I would really love to have a hardware root of trust on a Linux or other open system, with a hardware security module of sorts that is programmable, so I decide what the root keys are, and is able to measure the firmware boot process, establishing a proper audit trail or chain of trust.

I can't remember the HN formatting rules, so expect an edit shortly to make this look better.

Edit: I did a little more poking. It's not quite as bad as I thought, because at least in theory, the BIOS will verify a digital signature of a BIOS update before flashing it.

By @jmclnx - 5 months
>In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat

This joke never gets stale, wait it is not a joke ?

I still believe the only reason for this to exist is to eventually turn general computing devices into a locked down Cell Phone Spying Device.