AMI BIOS Source Code and UEFI Signing Key Found on Public FTP Server

AMI BIOS Source Code and UEFI Signing Key Found on Public FTP Server

The source code of different versions of AMI ((American Megatrends Inc.) firmware and a unique UEFI signing test key were found on an unsecured FTP server. As such, such a security leak may have grave implications for desktop systems that feature motherboards that operate on the AMI UEFI BIOS.

The leaked reference codes indicated that they are rather recent ones as they are dated at February 2012. (Image Source: Adam Caudill)

According to security researcher Adam Caudill, along with the leaked source codes, there is also a unique UEFI signing test key that affects 'Ivy Bridge' platforms. The security implications of their leak may lead to hackers and people with malicious intentions to develop UEFI updates that will be validated and then installed for the vendor’s products that use this ‘Ivy Bridge’ firmware.

The UEFI signing key is meant to be used for firmware authentication; however, if it is compromised, the authenticity of the UEFI BIOS updates will be questionable. Mr. Caudill added that if the same authentication key was to be used in other products, the potential for more damage is subsequently heightened. American Megatrends have officially responded, saying that the leaked signing key is for testing purposes and is not supposed to be used for final production. As a result, products that are sold will not use this key for authentication purposes during their BIOS updates.

Furthermore, the unsecured FTP server wasn't under the purview of AMI as it was operated by one of AMI's customers. Despite this unfortunate security leak, AMI claims that this leak will not compromise the security of systems in the field if the BIOS for the production machines are created using production keys. However, we do raise the possibility of machines in production whose BIOS may be signed with the compromised key and will be potential targets for hackers. As a precautionary note to our readers, it is good practice to disable automatic updates of BIOS of production systems; while at the same time, to manually apply BIOS updates with firmware downloaded from trusted sources.

(Source: AMI, Adam Caudill)

All News Categories

Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.