The PKfail flaw affects more devices than anticipated, including medical equipment, laptops, gaming consoles, ATMs, Point-of-Sale (POS) machines, voting machines and more. The number of impacted device models has increased from 513 to 972, with over 791 out of 10,095 unique firmware images being flagged.
Furthermore, researchers also discovered four additional test keys, raising the number of compromised keys to 20.
These cryptographic keys are integral to the Secure Boot process, a security standard designed to ensure that only trusted firmware can run on devices. Unfortunately, the private portion of these test keys is widely known, compromising the entire security chain of affected devices.
The compromised platform keys have been found in various devices, including medical equipment, gaming consoles, enterprise servers, ATMs, and POS systems. More alarmingly, the failure also impacted devices such as voting machines, raising concerns about critical infrastructure security.
Some vendors affected by Pkfail include Acer, Dell, HP, Fujitsu, Lenovo, and even less traditional device makers like Hardkernel, Beelik, and Minisforum. Researchers reveal that the extent of this failure is widespread, with vulnerabilities present in over 8% of the 10,095 unique firmware images submitted to a detection tool.
Secure Boot verifies that the firmware loaded onto a device is signed by a trusted source. It depends on cryptographic keys embedded within the system, establishing trust between the hardware and its firmware. However, using these compromised non-production keys renders this process ineffective, as the private portions of the keys are no longer secure.
This root-of-trust failure can lead to UEFI rootkit malware targeting firmware and maintaining persistence even after system reboots. The malware also evades traditional detection methods.
The broader industry impact of PKfail will be discussed at the upcoming LABScon security conference, where more details are expected to emerge, reports Ars Technica.
In the News: Microsoft recategorises CVE-2024-43461 as zero-day; exploited by Void Banshee APT