Sign in with
Sign up | Sign in
Your question
Closed

AMI's UEFI Signing Key and BIOS Source Code Leaked

Tags:
  • BIOS
  • Security
  • leak
Last response: in News comments
Share
a b 8 Security
April 8, 2013 5:15:56 PM

"Security Only as Strong as Your Weakest Link" from somewhere
Score
11
April 8, 2013 5:16:29 PM

All test keys, not production keys. Unless your motherboard mfg is as shady as Jetway and didn't follow standard procedure and convert test keys to production keys, there is little concern here.

http://ami.com/News/PressRelease/?PrID=392
Score
3
April 8, 2013 5:16:31 PM

Quote:
Subramonian Shankar, American Megatrends CEO and President, further commented that “while today’s news is certainly distressing, AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them. If they follow standard operating procedure for BIOS signing, the security features in our BIOS source code and secure signing process will function as designed and remain 100% secure.”


1. Trick user into visiting an trusted but infected website, or a website with infected advertisements.

2. Load a self-replicating rootkit onto the computer, which then identifies what mobo the computer has. Any USB drives or external storage will also be compromised.

3. Detect AMI mobo, start BIOS replacement when the computer is restarted so Windows can install updates. Many users won't suspect anything, thinking it's just the Windows update. Only experienced users will become suspicious.

4. Open backdoors after BIOS is replaced. Let the fun begin.
Score
1
April 8, 2013 5:17:31 PM

EDIT: I'm fairly sure experienced malware writers could come up with a quicker and more stealthy method of delivery.
Score
1
April 8, 2013 5:20:23 PM

Quote:
...advised all concerned parties to contact an AMI Sales Representative or AMI Technical Marketing for further information


Telling customers to call sales reps about security issues. That's good advice.
Score
4
April 8, 2013 6:20:15 PM

This news lacks of one thing, " WHAT ARE THE AFFECTED MOTHERBOARDS ???"

We don't want to worry if our mobo is not affected and we want to be cautious if ours is.
Score
4
April 8, 2013 6:30:56 PM

I am generally opposed to capitol punishment... but these hackers certainly tempt a guy to reconsider... In all seriousness, I would be helpful to know what boards might be effective, and if there is going to be a "fix" any time soon. I wasn't planning on replacing my board, but apparently now I might have to.
Score
-7
April 8, 2013 6:46:50 PM

The only way to secure this kind of thing is to use YOUR own keys. You have to assume somebody nefarious has the "secure" keys from the Mfg since its use is so widespread. This one is public, which is great, but what about the ones that you don't know about. Just imagine SIGNED Malware that bypasses everything under a secure moniker....
Score
3
April 8, 2013 7:19:57 PM

Ehh, I have an 8MB-legal AMI BIOS. Should I be worried?
Score
0
April 8, 2013 7:22:24 PM

Hmm maybe this will open up the "custom" OS on PC's again... Granted they are test keys but if you are really smart and reverse engineer current keys with the test keys you could work out the way they make them.....
Score
3
April 8, 2013 7:23:19 PM

A Bad Day1. Trick user into visiting an trusted but infected website, or a website with infected advertisements.2. Load a self-replicating rootkit onto the computer, which then identifies what mobo the computer has. Any USB drives or external storage will also be compromised.3. Detect AMI mobo, start BIOS replacement when the computer is restarted so Windows can install updates. Many users won't suspect anything, thinking it's just the Windows update. Only experienced users will become suspicious.4. Open backdoors after BIOS is replaced. Let the fun begin.

All my Windows 7 is completely updated, so I know what to look for, although I have an ASRock Mobo.


Score
-4
April 8, 2013 7:50:10 PM

The way I look at it is this will be good for the open source community.

UEFI does not really add much security and secure boot lockout is a terrible idea.
Score
8
April 8, 2013 7:59:42 PM

TheN00bBuilderAll my Windows 7 is completely updated, so I know what to look for, although I have an ASRock Mobo.


I have a sister who doesn't care about computer security. When I brought up the bot-net topic, her reply, "Yeah, well I'm not stupid enough to click on spam sent by bots."

My mom? Still thinks Windows XP's Service Pack 3 is a virus.

My dad? Still thinks McAfee 2007 OAS is sufficient. Though OAS's support was shut down before 2012.
Score
2
April 8, 2013 8:07:56 PM

These comments sho
Score
-3
April 9, 2013 5:36:06 AM

smeezekittyThe way I look at it is this will be good for the open source community.UEFI does not really add much security and secure boot lockout is a terrible idea.

Secure boot is horrible.
Score
2
April 9, 2013 6:56:40 AM

Worst case scenario: CIH v2.0
Score
0
April 9, 2013 7:38:30 AM

smeezekittyThe way I look at it is this will be good for the open source community.UEFI does not really add much security and secure boot lockout is a terrible idea.


I totally agree. The default Secure UEFI (using predetermined keys) will have the opposite effect on security. I know to many it sounds counter-intuitive but its considered "Security through Obscurity" which is a extra risky way to secure data. You don't know if its secure or not ultimately. Here's the deal on that, how can I be sure that someone nefarious, OR any number of global government entities don't already have the signing keys? I can't, so I presume they have the ability to inject something into signed and trusted driver package from a trusted source. Bad guys aren't going to expose that they found a hole, they'll sit on it and exploit it. Hence I'd want to compile and sign all driver and UEFI code going onto the corporate computers for a better defense in depth strategy. Since MS shares its source code with govt entities, it is in my viewpoint insecure by default. How can you defend against the Russian, Chinese and US sponsored crackers when they have the source code (and presumably also the signing keys) and you and your security team don't?

In the end that just leaves open source solutions for the security conscious out there. I do think Secure UEFI using your own signed keys has some nice potential though. That would seriously limit the scope of any attack on signed kernel drivers and on the underlying system firmware.
Score
4
April 9, 2013 10:21:15 AM

Jeff BurnsThe only way to secure this kind of thing is to use YOUR own keys. You have to assume somebody nefarious has the "secure" keys from the Mfg since its use is so widespread. This one is public, which is great, but what about the ones that you don't know about. Just imagine SIGNED Malware that bypasses everything under a secure moniker....


Agree!

Doctorow's Law:

Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit.

But yes...MS manage to sell us on idea that UEFI Secure Boot is good for us while they still hold all the keys.
Score
2
April 9, 2013 12:24:03 PM

The sad thing is how many PC's use AMI BIOS's... AMI really needs to release a BIOS update to manufacturers with a new key, ASAP. Many of the smaller manufacturers will have issues with this though, even if provided with an updated BIOS and key from AMI, I don't see the small guys releasing patches for boards no longer in production.

The "bad guys" have much more financial incentives to break/circumvent boot security, than the "good guys" do. Sadly the UEFI key's are bound to be leaked at some point in time.
Score
0
April 9, 2013 7:40:21 PM

A Bad Day said:
TheN00bBuilderAll my Windows 7 is completely updated, so I know what to look for, although I have an ASRock Mobo.


I have a sister who doesn't care about computer security. When I brought up the bot-net topic, her reply, "Yeah, well I'm not stupid enough to click on spam sent by bots."

My mom? Still thinks Windows XP's Service Pack 3 is a virus.

My dad? Still thinks McAfee 2007 OAS is sufficient. Though OAS's support was shut down before 2012.


Hopefully, I'm protected with 2 AVs; Trend Micro Titanium and AVG 2013 full ed.
Score
0
April 9, 2013 8:13:52 PM

TheN00bBuilder said:
Hopefully, I'm protected with 2 AVs; Trend Micro Titanium and AVG 2013 full ed.
I can't tell if thats sarcasm or not. I hope no one on this forum would be stupid enough to run multiple active AV products, and windows update and think that is all thats required to keep them protected from evil.

As a side note, I have yet to find the limits of human stupidity.
Score
0
April 10, 2013 3:10:44 AM

TheN00bBuilder said:
Hopefully, I'm protected with 2 AVs; Trend Micro Titanium and AVG 2013 full ed.


Running 2 AVs isn't a good idea. These things have their tentacles in every corner of your system, and they don't always play nicely together.
Score
0
!