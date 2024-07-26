

WASHINGTON (dpa-AFX) - According to Binarly Research Team, Secure Boot was compromised in several devices, due to a supply-chain vulnerability called PKfail.



The PKfail vulnerability is based on a test Secure Boot 'Master key' or 'Platform key' which if compromised, can grant attackers the ability to take over the vulnerable endpoints, and install malware and other dangerous code.



The PK is an integral part of the Unified Extensible Firmware Interface or UEFI Secure Boot process, which ensures that a computer boots only with trusted software by the Original Equipment Manufacturer or OEM.



'This Platform Key, which manages the Secure Boot databases and maintains the chain of trust from firmware to the operating system, is often not replaced by OEMs or device vendors, resulting in devices shipping with untrusted keys,' the Binarly Research Team said.



Reportedly, more than 800 products of Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro, used untrust test keys.



'The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024. Overall, this makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years,' the security firm added.



