According to specialists at Binarly, a critical vulnerability known as PKFail in the firmware supply chain has put hundreds of UEFI products from 10 different suppliers at risk of being hacked. This vulnerability allows attackers to circumvent Secure Boot mechanisms and install malicious software on the affected devices.
The vulnerable devices are using the Secure Boot test key, also referred to as the Platform Key (PK), which was originally generated by American Megatrends International (AMI). This key was designated as “Do Not Trust,” and the expectation was for suppliers to replace it with their own securely generated keys. However, many OEM manufacturers and device suppliers neglect to make this replacement, resulting in the distribution of devices with unreliable keys. The Platform Key plays a crucial role in controlling Secure Boot data databases and establishing a trusted chain from firmware to the operating system.
Affecting manufacturers such as Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro, a total of 813 products have been identified as vulnerable to this threat.
If exploited successfully, PKFail allows cybercriminals to bypass Secure Boot on these compromised devices by manipulating key databases and ultimately distributing UEFI Rootkits like Cosmicstrand and Blacklotus. Binarly highlights that more than 10% of the firmware images tested were found to be using the insecure Platform Key, with the vulnerability spanning over 12 years from May 2012 to June 2024.
The company also provides a list of nearly 900 affected devices. To mitigate potential attacks, suppliers are advised to generate and manage Platform Keys using secure hardware modules and to replace any test keys provided by BIOS independent suppliers with their own securely generated keys.
Users are urged to stay vigilant by monitoring firmware updates and promptly applying security patches related to the PKFail vulnerability. Binarly has launched a website to assist users in scanning binary firmware files to identify vulnerable devices and malicious payloads.