Posted on Monday, April 08 2013 @ 12:15 CEST by Thomas De Maesschalck
TechPowerUp
writes the source code of the AMI Aptio UEFI BIOS, including AMI's unique UEFI signing test key, are now out in the open. The confidential data was found on an FTP server in Taiwan that could be publicly accessed, it's unknown who the owner of this server is but it's believed to be motherboard maker Jetway. The leak of this data poses a security threat for every motherboard that runs the AMI Aptio UEFI BIOS, which includes most socket LGA1155 and FM2 motherboards, as well as some AM3+ motherboards.
Among the leaked bits of software include the source code of AMI BIOS, Aptio, and AMI's UEFI test signing key, which is used by all its clients to sign their BIOS updates. Signing ensures that BIOS updating software verifies the update is genuine, and coming from the motherboard manufacturer. With this key out, malware developers can develop malicious BIOS updates, hack motherboard vendors' customer support websites, and replace legitimate BIOS updates with their malicious ones. Control over the system BIOS could then give hackers access to most ring-0 OS functions.
"By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor's products that use this firmware. If the vendor used this same key for other products - the impact could be even worse," writes Adam Caudill, who along with Brandon Wilson, discovered the open FTP server. "This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system's security is an ideal scenario for covert information collection," he added.
AMI quickly responded to the news, claiming the leak is not a result of a security lapse on AMI's behalf and that this is not a general security threat which could create a nearly undetectable, permanent hole in a system's security:
American Megatrends Inc. (AMI), a global leader in BIOS, remote management and network storage innovations, released the following statement in relation to recent disclosures via the personal blog site of an industry blogger and security researcher regarding the discovery of a “leaky” FTP server from a Taiwan-based vendor which contained AMI UEFI BIOS source code among various internal data.
According to the post, the information available on this open FTP server included among other things “…source code for different versions of UEFI BIOS firmware from AMI for a specific hardware platform and a suspected signing key for that firmware.”
First and foremost, AMI would like to clarify that the vendor referenced in the blog post is a BIOS customer of AMI, and the unsecure FTP site that contained the BIOS source code and security key data is maintained by AMI’s customer, not AMI itself. Therefore, the leak of this data was not the fault of AMI and by extension not a result of a security lapse on AMI’s behalf.
As this would imply a serious threat to AMI intellectual property and security issues for the BIOS utilized for these platforms, AMI was compelled to respond in order to allay concerns regarding any potential security threats that might be implied from this news. AMI states that this is not a general security threat which could “create a nearly undetectable, permanent hole in a system’s security”, if the manner in which production-level BIOS is signed and created uses production keys.
To explain in more detail, AMI has examined the security keys referenced in the blog post and confirmed that the keys in question are test keys. Test keys are normally used for development and test purposes since developers do not have access to production keys. For production-level BIOS that would be shipped to consumers, AMI’s procedures for creating such a BIOS require the customer to procure or generate production keys. As such, AMI expects that a key such as the one disclosed to the public today will be used for testing purposes only.
Therefore, even though the test keys were unfortunately leaked via this unsecure FTP site, a production level private key used by a customer cannot be obtained with the information made public. Thus, AMI can state that this leak will not compromise the security of systems in the field if the BIOS for the production machines are created using production keys.
Subramonian Shankar, American Megatrends CEO and President, commented on these concerns by stating that “while today’s news is certainly distressing, AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them. If they follow standard operating procedure for BIOS signing, the security features in our BIOS source code and secure signing process will function as designed and remain 100% secure.”
Concerned parties, such as AMI partners and worldwide BIOS customers, should contact their AMI Sales Representative or AMI Technical Marketing at 1-800-U-BUY-AMI for more information regarding this recent disclosure.