[WARNING] Secure Boot Process compromised on 200+ motherboard models

nlinecomputers

nlinecomputers

Well-Known Member
Reaction score
8,561
Location
Midland TX
arstechnica.com

Secure Boot is completely broken on 200+ models from 5 big device makers

Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.
arstechnica.com arstechnica.com

TL : DR Several PC and motherboard manufacturers have incorporated a test certificate, intended only for lab use and who public and private keys are available on GitHub, in the BIOS of 200 or more UEFI Firmwares. Meaning that all a malware author has to do is sign his bootloader with the key and you can root the system.
 
Not that I think I am affected, but the PowerShell Command given in the first-linked article will not work for me. There are syntax errors I can't figure out how to fix. [How I hate, hate, hate, hate PowerShell!! One of the most opaque and excessively long command syntax structures out there!]
 
britechguy said:
Not that I think I am affected, but the PowerShell Command given in the first-linked article will not work for me. There are syntax errors I can't figure out how to fix. [How I hate, hate, hate, hate PowerShell!! One of the most opaque and excessively long command syntax structures out there!]
Click to expand...
You have to edit the stupid example. There is a hard return you have to remove and the true at the end is the output and not the code.

Code: 
 [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"
 
The world is losing brain cells faster than a chemo patient. This constant string of stupidity from workers to CEO is killing us.

I'm currently on Linux, so my surface of attack is slightly different from say, a typical Windows user, but it's still frightening how stupid the industry can be.
 
And the irony of having a whole article about sloppy procedures. And they didn't even edit their own code correctly. They could have used a code box like I just did.
 
nlinecomputers said:
You have to edit the stupid example. There is a hard return you have to remove and the true at the end is the output and not the code.

Code: 
 [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"
Click to expand...

Strike this: I get the following with that code: The filename, directory name, or volume label syntax is incorrect.

I had a brain fart and accidentally opened Command Prompt within Terminal rather than PowerShell. That will certainly cause a syntax error.

Result: False
 
Last edited:
Get-SecureBootUEFI PK

By the way, what genius decided that an embedded space in a language that's hypen and period crazy was a good idea?!!

Unless, of course, the command is the above, and its output is somehow being piped and ripped apart, but heaven knows I can't make heads nor tails of what's happening on first sight, or even second, and that doesn't happen often when it comes to programming languages or scripting languages.
 
PK is UEFI register it stands for public key. It’s a parameter being passed to the Get-SecureBootUEFI command. The Get- is a common naming scheme in powershell.
 
Linux vs Windows doesn't shift the risk profile of this situation at all.

And production anything that accepts certificates outside of the established trust chain will result in issues no matter what you do.

The process is there, the secure path is there, but there is no financial feedback loop to vendors that violate it.

Microsoft had the tech to stop the CloudStrike event in 2009.
CloudStrike was founded by those involved in the McAffee outage of 2010.
Azure's breach by the Chinese government was due to Microsoft's mishandling of certificates.

These things will continue to happen until such time as regulators REGULATE the industry. The "market" simply doesn't have a mechanism to hold large organizations accountable to anything, and it really doesn't have any mechanism to hold ethical standards to anything on its own.
 
Sky-Knight said:
These things will continue to happen until such time as regulators REGULATE the industry.
Click to expand...

And they'll happen after, too, though they may happen less frequently.

I absolutely agree that the industry requires regulation, but that means that you need people assisting with the crafting of regulation that actually understand the things being regulated, and what needs it and what doesn't. Given the recent Supreme Court decision overturned the Chevron Deference, neutering the very agencies that were invented to manage intelligent regulation because Congress and the courts simply don't, and never will, have the requisite expertise, everything's in an even more precarious state.

There was a time where legislators, politicians, and the court system all knew that deference to subject matter expertise is an essential element of regulation and administration of the world as it exists, now. Sadly, that knowledge appears to have vanished (or at least been hobbled legally to such an extent as to be almost non-existent).
 
You must log in or register to reply here.
Back
Top