site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Technical > PC Hardware Discussion/Reviews > AMIBIOS Source Code and AMI's UEFI Signing Key Leaked

Search Topic:
 Uniqs:
68		 Share Topic
 view:
normal
Posting?
Post a:
Post a:
Links: ·Posting Guidelines ·BELARC Advisor ·BIOS Beep Codes ·Equip. ID FAQ ·Mobo Finder ·Where to Buy Hardware
AuthorAll Replies


Octavean
Premium,MVM
join:2001-03-31
New York, NY
kudos:1

AMIBIOS Source Code and AMI's UEFI Signing Key Leaked

quote:
An FTP server in Taiwan that could be publicly accessed, leaked the source code of AMI Aptio UEFI BIOS, including AMI's unique UEFI signing test key. The utterly irresponsible act of holding such sensitive data on public FTPs is suspected to be committed by motherboard vendor Jetway. In doing so, the company may have compromised security of every motherboard (across vendors) running AMI Aptio UEFI BIOS. Most socket LGA1155 and FM2 motherboards, and some socket AM3+ motherboards run AMI Aptio.

Among the leaked bits of software include the source code of AMI BIOS, Aptio, and AMI's UEFI test signing key, which is used by all its clients to sign their BIOS updates. Signing ensures that BIOS updating software verifies the update is genuine, and coming from the motherboard manufacturer. With this key out, malware developers can develop malicious BIOS updates, hack motherboard vendors' customer support websites, and replace legitimate BIOS updates with their malicious ones. Control over the system BIOS could then give hackers access to most ring-0 OS functions.

"By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor's products that use this firmware. If the vendor used this same key for other products - the impact could be even worse," writes Adam Caudill, who along with Brandon Wilson, discovered the open FTP server. "This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system's security is an ideal scenario for covert information collection," he added.
»www.techpowerup.com/182484/AMIBI···ked.html
to forum · permalink · 2013-04-07 10:08:54 ·


signmeuptoo
Love those still alive
Premium
join:2001-11-22
NanoParticle
kudos:4

Wow. My question is, well, is it really that bad? If malware can write to BIOS, I would think they can totally hose a mainboard, and that we will soon see people with hosed computers all over the place, what a nightmare!

to forum · permalink · 2013-04-07 10:38:32 ·


Octavean
Premium,MVM
join:2001-03-31
New York, NY
kudos:1

reply to Octavean
If only this could be used for something beneficial to the end customer.

Something to enhance the product.

Wishful thinking maybe,......?

to forum · permalink · 2013-04-07 10:51:31 ·


Octavean
Premium,MVM
join:2001-03-31
New York, NY
kudos:1

reply to Octavean
AMI responds with a statement:

»ami.com/News/PressRelease/?PrID=392

to forum · permalink · 2013-04-07 13:27:22 ·
Forums > Technical > PC Hardware Discussion/Reviews

Sunday, 07-Apr 20:20:24 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 13.5 years online © 1999-2013 dslreports.com.
Most commented news this week
Hot Topics