'PKfail' Secure Boot disaster just went from bad to worse (original) (raw)

A couple of months ago, we reported on the PKfail vulnerability in Secure Boot — a security issue that stems from hardware manufacturers shipping devices with known compromised software.

After digging deeper, the original security researchers have discovered that it’s a much bigger problem than even they had initially guessed.

In case you missed the original story, here’s a quick summary: The code that gets you past Secure Boot encryption (so you can load up software in a pre-boot environment) was leaked on an open repository back in 2022. Despite that being a known issue, manufacturers continued to ship devices with compromised security. In fact, many of them shipped with pre-production warnings like “DO NOT TRUST” still in the firmware.

As Ars Technica reports, the original publisher Binarly and other security researchers have found many more devices that are susceptible to the PKfail exploit. The list of vulnerable devices has ballooned to almost four times the original research, now including almost a thousand individual models of desktops, laptops, and other x86-based hardware.

The original list included computers and motherboards made by some of the industry’s biggest names, including Dell, Acer, and Intel. Now that the issue is more widely known, the list is expanding to include other manufacturers like Fujitsu and Supermicro. Even boutique manufacturers like Beelink and Minisforum are susceptible.

The issue seems to reach far beyond the realm of conventional hardware and Windows-based PCs. According to data from Binarly’s online detection tool, enterprise servers, point-of-sale retail machines, gaming consoles, and even ATMs have all been found to contain these publicly-available Secure Boot keys. Even some medical devices and voting machines showed up in the system. To say all this is “alarming” would be an understatement.

That said, remotely exploiting Secure Boot would be a huge endeavor for a hacker, so the PKfail vulnerability is mostly relevant to anyone who might be personally targeted for data theft or surveillance. It’s much more likely to be used by, say, someone going after a multi-millionaire, or by a state-sponsored hacker group hoping to acquire government or industry secrets. Regardless, Binarly warns that the PKfail vulnerability is already being actively exploited in the wild.

If you own an affected machine, the solution to PKfail is nothing less than a BIOS or UEFI update from your PC’s motherboard manufacturer. You can use Binarly’s online detection tool to see if your PC is affected.

Michael is a 10-year veteran of technology journalism, covering everything from Apple to ZTE. On PCWorld he's the resident keyboard nut, always using a new one for a review and building a new mechanical board or expanding his desktop "battlestation" in his off hours. Michael's previous bylines include Android Police, Digital Trends, Wired, Lifehacker, and How-To Geek, and he's covered events like CES and Mobile World Congress live. Michael lives in Pennsylvania where he's always looking forward to his next kayaking trip.