Researchers said that a years-old security leak is putting a number of production model PCs at risk of persistent remote takeover.
The team at Binarly said that the issue, known as PKfail, is exposing the private keys for a number of motherboard firmware builds and, as a result, leaving systems exposed to low-level malware attacks that would not be detectable to OS-level antimalware protections.
The issue, said Binarly, is a vulnerability that dates back to 2016, when a private test key from BIOS specialist AMI was leaked. The key stayed quiet until 2018, when it was first found to be released in the wild.
Again, the leak did not get much attention and was thought to have slipped through the cracks, until the Binary team found it still being used and exposed on a number of systems.
“Earlier this year, we noticed that the private key from American Megatrends International (AMI) related to the Secure Boot ‘master key,’ called Platform Key (PK), was publicly exposed in a data leak,” Binary noted.
“The incident occurred at an ODM responsible for firmware development for multiple device vendors, including US-based enterprise device manufacturers. The devices corresponding to this key are still deployed in the field, and the key is also being used in recently released enterprise devices. “
In short, the loss of the firmware key means an attacker would be able to forge an OS installation as being genuine and trick the Windows UEFI framework that ensures all updates and installations are genuine.
In practice, this would mean that an attacker could exploit the flaw to replace the current OS version with one laden with malware and cause it to be trusted, thus preventing easy removal by anti-malware systems.
There is one caveat to such attacks: in order to access the vulnerable components, the attacker requires full system access via an administrator or root-level account. This means that the bad guy would have already had to completely take over the target machine.
As such, this vulnerability is more of a persistence attack: one that would allow long-term access even after a complete antimalware sweep and re-install.
Users and administrators are advised to update their firmware installations to latest versions and follow security best practices to prevent the initial intrusion required for the attack.