• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Secure Boot is broken

winjer

winjer

Gold Member
arstechnica.com

Secure Boot is completely broken on 200+ models from 5 big device makers

Keys were labeled “DO NOT TRUST.” Nearly 500 device models use them anyway.
arstechnica.com arstechnica.com

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
Click to expand...

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro.
Click to expand...

The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it's not clear when it was taken down.

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one.

The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings “DO NOT SHIP” or “DO NOT TRUST.”
Click to expand...



To test your UEFI: https://pk.fail/

If your system is vulnerable, go to the site of your manufacturer and check for a new UEFI version.
 
Northeastmonk

Northeastmonk

Gold Member
I never have secure boot enabled due to always using a fresh image and HP and Dell machines not liking it. Buying stock Dell machines will either two things: 1. secure boot is enabled and 2. The drive is an array oob. Secure Boot always caused issues with imaging in my experience.
 
Barakov

Barakov

Gold Member
Toaster user here. If secure boot is off, am I good or do I need to download the new UEFI version?
 
Northeastmonk

Northeastmonk

Gold Member
Barakov said:
Toaster user here. If secure boot is off, am I good or do I need to download the new UEFI version?
Click to expand...
I don’t honestly think you need it unless you feel like you’re going to get hit with a rootkit attack. I don’t ever see it enabled and if it is it usually borks the OS from installing. I’ve dealt with bitlocker more than secure boot. I can’t think of anytime I’ve been asked about secure boot, especially with hipaa compliant customers. It’s usually bitlocker, password policy, and MFA.

In other words, I wouldn’t lose any sleep over it lol
 
MrTroubleMaker

MrTroubleMaker

Member
I guess i passed that bullet

JRtxcOT.png
 
poppabk

poppabk

Cheeks Spread for Digital Only Future
The_hunter said:
If it is off, you are not using secure boot at all. You're good.
Click to expand...
How is that better. Maybe I am not understanding but the problem is that this makes a secure boot machine effectively not secure boot?
simpatico said:
I’m gonna secure boot my ass over to Linux the second windows 10 support ends.
Click to expand...
I am definitely not understanding - how is this a windows issue?
 
Last edited:
The_hunter

The_hunter

Member
poppabk said:
How is that better. Maybe I am not understanding but the problem is that this makes a secure boot machine effectively not secure boot?

I am definitely not understanding - how is this a windows issue?
Click to expand...
Your interpretation is right. I didn't mean that the fix is to turn off secure boot. I meant that if you don't use it in the first place, this doesn't effect you. My comment wasn't clear enough.
 
YeulEmeralda

YeulEmeralda

Linux User
I do all my banking stuff with my phone these days the PC is just for gaming so I wouldn't even care if it gets malwared.
 
ShirAhava

ShirAhava

Plays with kids toys, in the adult gaming world
Just tested this on both my WIndows and Linux rigs and I'm safe thankfully
 
ReBurn

ReBurn

Gold Member
Lord Panda said:
Not directed at you per se, but If you don't know what you're doing then moving over to Linux isn't really going to help.
Click to expand...
Seriously. Bootkit vulnerabilities exist in the Linux world, too. The designers of malware for Linux distros count on people who don't use secure boot or tpm, whether it be through ignorance or obstinace.
 
ReBurn

ReBurn

Gold Member
Unknown? said:
Ehhh. I'd trust a well secured PC over a phone. Android and iOS are terrible.
Click to expand...
Understandable. PC's are certainly targeted more, but Android and iOS devices have had (and currently have) vulnerabilities that could be exploited to inject code into the boot chain. Security flaws are what continue to make jailbreaks possible.
 
Griffon

Griffon

Member
So, let me see if I understand that properly.

If secure boot is off, you're not protected.
If secure boot is on but you're using one of those motherboards, you're not protected either.

So in the end it's like you don't have secure boot to begin with right?
 
ReBurn

ReBurn

Gold Member
GymWolf said:
How do i check if i have secure bot activated?

Go easy with the explanation, i'm a fucking noob.
Click to expand...
I haven't done it it a while since it's almost always on by default, so it could have changed. But if you have Windows system you can press the Windows key and the R key at the same time to bring up the Run application. Then type msinfo32 and press enter. Under the system summary there should be a line that tells you whether it's on or off.
 
winjer

winjer

Gold Member
kensama said:
Hi,

How to obtain the binary file to be checked on the site please?
Click to expand...

One way is to use a program like AFUWIN to dump the uefi.

The easiest way is to go to the manufacturer of your motherboard and download the file of the UEFI version you are using.
Then just upload it to the site and it will compare the keys in that UEFI with the broken keys.

A program like HWinfo or CPUZ will show the version of the current UEFI your PC is using.
 
Last edited:
kruis

kruis

Exposing the sinister cartel of retailers who allow companies to pay for advertising space.
GymWolf said:
How do i check if i have secure bot activated?

Go easy with the explanation, i'm a fucking noob.
Click to expand...

See here for ways to check if you've got Secure Boot enabled.

Personally I don't see the point of Secure Boot in non business environments. The idea of Secure Boot is to prevent a hacker from booting an unrecognized OS/boot loader on your PC or adding custom UEFI boot drivers to your system. Well, for the first issue that hacker must have hands on access to your PC and there's nothing stopping that hacker from booting Windows or Linux from USB since those OSes are of course on the list of approved, safe operating systems. And if someone was able to secretly add malafide UEFI boot drivers on your PC, then you were already hacked.

Secure Boot makes sense in business or government environments where they handle top secret documents. You don't want a hacker to insert a USB drive into a PC, hack the UEFI BIOS and then have the PC run hacking code before the OS has even loaded. There it makes a lot of sense.

The downside of SecureBoot is that the list of approved operating systems is small and it's very, very hard to get on that list. At work I use iPXE as a way to boot multiple OSes from either the HD or the network in examination class rooms. The PC boots from the network, loads the iPXE file and shows a menu. Works great - but only with Secure Boot turned off since the iPXE boot loader is not on the approved list.
 
Last edited:
kensama

kensama

Member
winjer said:
One way is to use a program like AFUWIN to dump the uefi.

The easiest way is to go to the manufacturer of your motherboard and download the file of the UEFI version you are using.
Then just upload it to the site and it will compare the keys in that UEFI with the broken keys.

A program like HWinfo or CPUZ will show the version of the current UEFI your PC is using.
Click to expand...
Ok but UEFI where it can be find cause on Asus site for my motherboard i can't get this.
 
kensama

kensama

Member
winjer said:
Should be on the support page for your motherboard. Then on the downloads section.
Click to expand...

TUF GAMING Z690-PLUS|Cartes mères|ASUS France

ASUS TUF GAMING Z690-PLUS takes all the essential elements of the latest Intel® processors and combines them with game-ready features and proven durability. Engineered with military-grade components, an upgraded power solution and a comprehensive cooling system, this motherboard offers...
www.asus.com www.asus.com


I have only this
 
winjer

winjer

Gold Member
kensama said:

TUF GAMING Z690-PLUS|Cartes mères|ASUS France

ASUS TUF GAMING Z690-PLUS takes all the essential elements of the latest Intel® processors and combines them with game-ready features and proven durability. Engineered with military-grade components, an upgraded power solution and a comprehensive cooling system, this motherboard offers...
www.asus.com www.asus.com


I have only this
Click to expand...

That 's it. The BIOS file.
Modern firmware is called UEFI. But some people and companies still refer to it as BIOS.
 
kensama

kensama

Member
winjer said:
That 's it. The BIOS file.
Modern firmware is called UEFI. But some people and companies still refer to it as BIOS.
Click to expand...
ok but i got a file in zip and inside a .cap what to do with it?

That's ok i uploaded the .CAP file and it scan it

Result:

Hzx8czO.png
 
Last edited:
You must log in or register to reply here.

Similar threads

Satya Nadella: Annual letter to stockholders. Content on new platforms will continue
3 4 5 6 7
349
15K
solidus12 replied
Apex Legends is taking away its support for the Steam Deck and Linux
11
626
Wolzard replied
Nintendo DMCA Notice Wipes Out 8,535 Yuzu Repos
2
96
6K
CuteFaceJay replied
Gigabyte Motherboards Affected by Firmware Backdoor, Over 250 Models Impacted
Hardware
10
1K
darrylgorn replied
[The Verge] Microsoft is now in a handheld gaming PC race
2
79
6K
MisterXDTV replied
Top Bottom