PKfail: The Massive Security Flaw Affecting Millions of PCs

AI created, human edited.

In a recent episode of Security Now, host Steve Gibson shed light on a widespread security vulnerability affecting hundreds of PC models from major manufacturers. Dubbed "PKfail" by security firm Binarly, this flaw in the firmware supply chain renders affected machines incapable of booting securely, despite having Secure Boot enabled.

At the heart of PKfail lies the misuse of Platform Keys (PK), which form the root of trust for a system's secure boot technology. These keys should be unique to each device and generated securely by the manufacturer. However, Binarly's research uncovered a disturbing trend: many devices are shipping with "sample" Platform Keys that were never meant to be used in production.

These sample keys, generated by American Megatrends International (AMI), were intended to be replaced by device vendors with securely generated keys. Instead, they've found their way into countless consumer devices, compromising the entire secure boot process.

Gibson highlighted some alarming statistics from Binarly's research:

1. Over 10% of firmware images in Binarly's dataset use an untrusted Platform Key.
2. The vulnerability affects devices released as recently as June 2024.
3. Nearly 850 device models are currently known to be affected.
4. The issue spans more than 12 years, with the first vulnerable firmware dating back to May 2012.

What makes this particularly concerning is that the same vulnerable keys are being used across a wide range of products, from gaming laptops to server motherboards.

Perhaps most troubling is the industry's slow response to this issue. Gibson pointed out that this vulnerability was first publicly disclosed in 2016 and assigned CVE-2016-5247. Despite this, the release of vulnerable devices continued to increase, suggesting a lack of awareness or concern within the industry.

While there was a decrease in vulnerable images between 2017 and 2020, recent years have seen a resurgence, indicating that the industry may have "simply forgot about this problem," as Gibson put it.

Gibson used this discovery to reinforce his skepticism about Microsoft's upcoming Recall feature, which aims to securely store and aggregate device history. He argued that despite Microsoft's assurances of tight security, the pervasive lack of security in the PC ecosystem makes absolute privacy for such accumulated data impossible.

While Gibson didn't advise against using Recall, he emphasized the importance of informed user choice, stating that individuals should be given "the well informed choice about whether or not they want this for themselves and for that choice to then be honored without exception or excuse."

For concerned users, Binarly provided methods to check if a device is affected by PKfail:

• On Linux, users can display the content of the PK variable.
• On Windows, a specific PowerShell command can be run to check for vulnerability.

Affected devices will have the strings "DO NOT TRUST" or "DO NOT SHIP" in the subject and issuer fields of the Platform Key certificate.

While PKfail doesn't present an obvious remote vulnerability, it does weaken a system's defenses against local boot tampering and could potentially be exploited by malware to establish persistent rootkits.

Gibson expressed hope that given the increased security awareness today compared to 2016, manufacturers of affected systems will respond more promptly to address this vulnerability.

In conclusion, PKfail serves as a stark reminder of the ongoing challenges in maintaining firmware security across the complex PC supply chain. It underscores the need for vigilance, both from manufacturers and end-users, in ensuring the integrity of our computing systems from the ground up.

Thanks for reading, and please join Club TWiT for more exclusive tech coverage!