Secure Boot No More? Key Leak and Faulty Practices Put 900 PC/Server Models at Risk

But the leaked key has been found in firmware released as early as 2018 and as recently as this year. To find out how common this practice still is, Binarly researchers analyzed their database of tens of thousands of firmware binaries collected over the years and identified 22 different AMI test PKs with “DO NOT TRUST” or “DO NOT SHIP” warnings. These keys were found in the UEFI firmware binaries of nearly 900 different computer and server motherboards from more than 10 vendors, including Acer, Dell, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro. Together, they accounted for more than 10% of the firmware images in the dataset.

These keys are unreliable because they have likely been shared with many vendors, OEMs, ODMs, and developers, and have likely been stored insecurely. Some of them may have already been leaked or stolen in undetected incidents. Last year, a data dump released by an extortion gang from motherboard and computer manufacturer Micro-Star International (MSI) included an Intel OEM private key, and a year before that, a Lenovo data leak included firmware source code and Intel Boot Guard signing keys.

Binarly has released an online scanner where users can submit copies of their motherboard firmware to check if it uses a test key, and a list of affected motherboard models is included in the company’s advisory. Unfortunately, there’s not much users can do until vendors provide firmware updates with new, securely generated PKs, assuming their motherboard models are still supported. The first use of such test keys found by Binarly dates back to 2012.