Subscribe to Newsletters

Curated Content | Thought Leadership | Technology News

Security Flaw Exposes Millions of HP and Lenovo Devices

Intel inside?
Ryan Uliss
Contributing Writer
Different letters, numbers and special symbols, and silhouette of key.

A significant security flaw known as ‘PKFail’ has been discovered, impacting potentially millions of devices that utilize Intel and ARM microprocessors. Researchers have revealed that a compromised cryptographic key, which they say should never have been on consumer or enterprise PCs, allows attackers to bypass the Secure Boot process, exposing these devices to potential malware attacks.

This occurred because the key, intended as a test key, was included in AMI’s reference implementation with the expectation that it would be replaced by downstream entities in the supply chain, but never was. The PKFail vulnerability affects major vendors such as Lenovo, HP, Asus, and SuperMicro, making it possible for attackers to manipulate key security databases and deploy malicious firmware.

Despite some vendors already issuing firmware updates to replace the compromised key, many devices remain at risk due to the slow deployment of these patches in critical systems. Organizations are advised to disconnect vulnerable devices from critical networks until updates are applied.

Why It Matters: The PKFail vulnerability represents a critical security risk because it undermines the Secure Boot process, a fundamental feature designed to protect the integrity of devices from startup. This flaw can lead to severe consequences, including persistent malware infections and compromised system security, affecting both consumer and enterprise environments. Rogier Fischer, CEO of Netherlands-based Hadrian, likens it to having a master key that unlocks many houses, emphasizing that since the same keys are used across different devices, one breach can affect many systems, making the problem widespread.

  • Compromised Platform Key: The PKFail issue arises from a compromised Platform Key (PK) from American Megatrends International (AMI), leaked in 2018 and improperly used by several vendors in their devices. This key is crucial in the Secure Boot process, which ensures the integrity of a device’s firmware and boot software.
  • Security Implications: Attackers with access to the private part of the PK can bypass Secure Boot by manipulating key security databases. This allows the deployment of Unified Extensible Firmware Interface (UEFI) bootkits, leading to persistent malware infections and elevated privileges.
  • Historical Context and Ongoing Risks: The PKFail issue highlights longstanding problems with cryptographic key management in the device supply chain. Previous incidents, such as the 2016 CVE-2016-5247, also involved shared test keys. The widespread use of non-production keys in production environments continues to pose significant security risks.

Go Deeper -> Millions of Devices Vulnerable to ‘PKFail’ Secure Boot Bypass Issue – Dark Reading

PKfail Secure Boot Bypass Lets Attackers Install UEFI Malware – Bleeping Computer

☀️ Subscribe to the Early Morning Byte! Begin your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

☀️ Your latest edition of the Early Morning Byte is here! Kickstart your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

ADVERTISEMENT

×
You have free article(s) left this month courtesy of CIO Partners.

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Would You Like To Save Articles?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Thanks for subscribing!

We’re excited to have you on board. Stay tuned for the latest technology news delivered straight to your inbox.

Save My Spot For TNCR LIVE!

Thursday April 18th

9 AM Pacific / 11 PM Central / 12 PM Eastern

Register for Unlimited Access

Already a member?

Digital Monthly

$12.00/ month

Billed Monthly

Digital Annual

$10.00/ month

Billed Annually

Would You Like To Save Books?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Log In To Access Premium Features

Sign Up For A Free Account

Please enable JavaScript in your browser to complete this form.
Name
Newsletters