 OctaveanPremium,MVM join:2001-03-31 New York, NY kudos:1 | AMIBIOS Source Code and AMI's UEFI Signing Key Leaked quote: An FTP server in Taiwan that could be publicly accessed, leaked the source code of AMI Aptio UEFI BIOS, including AMI's unique UEFI signing test key. The utterly irresponsible act of holding such sensitive data on public FTPs is suspected to be committed by motherboard vendor Jetway. In doing so, the company may have compromised security of every motherboard (across vendors) running AMI Aptio UEFI BIOS. Most socket LGA1155 and FM2 motherboards, and some socket AM3+ motherboards run AMI Aptio.
Among the leaked bits of software include the source code of AMI BIOS, Aptio, and AMI's UEFI test signing key, which is used by all its clients to sign their BIOS updates. Signing ensures that BIOS updating software verifies the update is genuine, and coming from the motherboard manufacturer. With this key out, malware developers can develop malicious BIOS updates, hack motherboard vendors' customer support websites, and replace legitimate BIOS updates with their malicious ones. Control over the system BIOS could then give hackers access to most ring-0 OS functions.
"By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor's products that use this firmware. If the vendor used this same key for other products - the impact could be even worse," writes Adam Caudill, who along with Brandon Wilson, discovered the open FTP server. "This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system's security is an ideal scenario for covert information collection," he added.
»www.techpowerup.com/182484/AMIBI···ked.html |
|
 signmeuptooLove those still alivePremium join:2001-11-22 NanoParticle kudos:4 | Wow. My question is, well, is it really that bad? If malware can write to BIOS, I would think they can totally hose a mainboard, and that we will soon see people with hosed computers all over the place, what a nightmare! |
|
 OctaveanPremium,MVM join:2001-03-31 New York, NY kudos:1 | reply to Octavean If only this could be used for something beneficial to the end customer.
Something to enhance the product.
Wishful thinking maybe,......? |
|
 OctaveanPremium,MVM join:2001-03-31 New York, NY kudos:1 | reply to Octavean AMI responds with a statement:
»ami.com/News/PressRelease/?PrID=392 |
|