“Computer SupplyChain Security”
By Scott Hamilton
I am usually excited about open-source software, but a major issue raised its ugly head back in July. There is a widely used open-source software product used to secure computing systems. This product is ironically called Secure Boot, but in this particular case it has become quite insecure. I am telling the story here in hopes that we all begin to realize that even the smartest engineers can make major mistakes.
In 2012, an industry-wide coalition to hardware and software makers adopted the use of Secure Boot to protect against the threat of malware that could infect the BIOS. I know we are getting a little deep into the technology behind computers, but trust me, it will be worth it in the end. The BIOS stands for Basic Input/Output System and is the first piece of software that runs on any computer. The BIOS tells the processor about all the components in the computer and lets it know about any installed operating system. The operating system is the software that allows you to interact with the computer. In most cases this will be Microsoft Windows, MacOS, or Linux.
Malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Malware that infects BIOS is especially critical, because BIOS cannot be easily modified while the operating system is running, making it nearly impossible to detect or remove malware from BIOS. The threat of such malware prompted the open-source community to figure out a solution; this is where Secure Boot comes into play.
Secure Boot relies on the use of the public key infrastructure (PKI) to ensure that the BIOS is the one provided by the hardware vendor. It also uses PKI to ensure that the operating system being booted is the one provided by the operating system vendor. This leads to another thing you have to learn before you can understand this particular computer security issue. You need to understand the PKI system.
PKI works kind of like the old wax seals used in the 1700s to prove a letter came from the person who claimed to have sent it. If you wanted to guarantee the authenticity of a letter, you sealed it in an envelope with a wax seal that was imprinted by a custom stamp to which only the author of the letter had access. PKI works off of the same basic concept; the software in question is signed with a private key (think stamp) and can only be verified if the public key (think wax seal) matches the stamp. The signature process also confirms that the software (think letter) was not modified prior to being executed.
On July 25, 2024 the security firm Binarly revealed that the widely used Secure Boot was completely broken on over 200 different computers sold by Acer, Dell, Gigabyte and Supermicro. The cause of this break was one of the cryptographic keys (think stamps) that underpin the entire Secure Boot system was compromised. I would have written about it earlier, but the key was compromised in 2022 so I didn’t see the urgency. This basically means that anyone could pretend to be Acer, Dell, Gigabte or Supermicro because they had a copy of the private key. It would have been like stealing and duplicating the king’s signet ring used to stamp all his correspondence; in essence you become the king.
So exactly how does such a major thing happen that impacts so many hardware vendors? It comes down to human error. In December 2023 someone working for multiple US-based device manufacturers published their private keys in the public Secure Boot software repository. If this wasn’t bad enough, the researchers at Binarly soon discovered a much bigger issue with Secure Boot and the hardware/software supply-chain. They discovered an additional 300 devices from virtually all major device manufacturers utilizing platform keys containing the strings “DO NOT SHIP” or “DO NOT TRUST” which were sample keys from the Secure Boot repository used in the build process to confirm that the system is operating correctly. In other words nearly every major computer manufacturer failed to read the build instructions for Secure Boot and did not remove the test keys from the software image before releasing it on their product. This will allow anyone with the knowledge to create BIOS images the ability to create corrupt BIOS images and distribute them, pretending to be the hardware vendor. The end result is that none of the exposed vendor keys can be trusted because the private portion of the key pair has become an open industry secret.
Alex Matrosov, founder of Binarily, described the issue like this, “Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?”
Matrosov founded Binarly to discover these types of issues and notify hardware vendors before making the issues public in order to improve the hardware/software supply chain. Most of the impacted devices have firmware updates available from the vendor to repair the issue, but you must be very careful in obtaining the patch to make sure it is coming directly from the vendor.
Until next week stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to sh*******@te**********.org or through his website at https://www.techshepherd.org.