But the leaked key was found in the firmware released in early 2018 and recently this year. To find out how common this practice still is, Binarly’s researchers scanned their database of tens of thousands of firmware binaries collected over the years and identified 22 AMI test PKs with the warning “DO NOT TRUST” or “DO NOT SHIP.” Those keys are found in UEFI firmware binaries for nearly 900 different computer motherboards from more than 10 vendors, including Acer, Dell, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro. Combined, they accounted for more than 10% of the firmware images in the dataset.
Those keys cannot be trusted, as they may be shared with multiple vendors, OEMs, ODMs, and developers – and may be stored insecurely. Any of them may have been leaked or stolen in undetected incidents. Last year, a data dump published by a gang from motherboard and computer manufacturer Micro-Star International (MSI) included an Intel OEM private key and a year before a data leak from Lenovo included firmware source code and Intel Boot Guard signing keys. .
Binarly has released an online scanner where users can submit copies of their motherboard’s firmware to check if it uses the test key, and a list of affected motherboard models is included in the company’s advisory. Unfortunately, there’s not much users can do until vendors provide firmware updates with new, securely manufactured PKs, assuming their motherboard models are still supported. The first use of such test keys discovered by Binarly dates back to 2012.
Source link