News

Major Supply Chain Vulnerability Exposed After 12 Years

Major Supply Chain Vulnerability Exposed After 12 Years
Images are for illustrative purposes only and may not accurately represent reality

A major cybersecurity flaw has been discovered that has gone undetected for 12 years, affecting hundreds of devices from various vendors. The vulnerability, called PKfail, revolves around a test Secure Boot “master key” that, if exploited, can allow attackers to take control of vulnerable devices and install harmful software.

Widespread Risk to Numerous Devices

The vulnerability begins with a Secure Boot “master key”, known as a Platform Key (PK), generated by American Megatrends International (AMI), which is a critical component in the UEFI Secure Boot process. This process ensures that a computer only boots with software trusted by the Original Equipment Manufacturer (OEM). However, it has been found that many vendors failed to replace AMI’s test key with their securely generated one, leaving their devices at risk.

Vendors Failed to Secure Their Devices

Companies such as Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro are among those who did not replace the test PK, leading to over 800 products being vulnerable to attacks. Cybersecurity researchers from Binarly Research Team discovered the flaw, which allows threat actors to manipulate key databases and sign malicious code, ultimately leading to the deployment of UEFI malware.

The Binarly team stated, “The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024. This makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years,” highlighting the severity and longevity of this security oversight.

Immediate Action Required

Device manufacturers are urged to review the list of affected devices, containing almost 900 entries, and to take the necessary steps to secure their products against PKfail. Users are also encouraged to remain vigilant and to keep their systems updated with the latest security patches.

For an industry that's always in the race against time to secure devices from evolving threats, this discovery is a stark reminder of the importance of thorough security practices and the potential consequences of oversights in supply chain security.

Read next