Sunday, April 7th 2013

AMIBIOS Source Code and AMI's UEFI Signing Key Leaked

An FTP server in Taiwan that could be publicly accessed, leaked the source code of AMI Aptio UEFI BIOS, including AMI's unique UEFI signing test key. The utterly irresponsible act of holding such sensitive data on public FTPs is suspected to be committed by motherboard vendor Jetway. In doing so, the company may have compromised security of every motherboard (across vendors) running AMI Aptio UEFI BIOS. Most socket LGA1155 and FM2 motherboards, and some socket AM3+ motherboards run AMI Aptio.

Among the leaked bits of software include the source code of AMI BIOS, Aptio, and AMI's UEFI test signing key, which is used by all its clients to sign their BIOS updates. Signing ensures that BIOS updating software verifies the update is genuine, and coming from the motherboard manufacturer. With this key out, malware developers can develop malicious BIOS updates, hack motherboard vendors' customer support websites, and replace legitimate BIOS updates with their malicious ones. Control over the system BIOS could then give hackers access to most ring-0 OS functions.

"By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor's products that use this firmware. If the vendor used this same key for other products - the impact could be even worse," writes Adam Caudill, who along with Brandon Wilson, discovered the open FTP server. "This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system's security is an ideal scenario for covert information collection," he added.Source: Adam Caudill's Blog
Add your own comment

23 Comments on AMIBIOS Source Code and AMI's UEFI Signing Key Leaked

#1
FordGT90Concept
"I go fast!1!11!1!"
Look on the bright side: this may mean BIOS can be updated to eliminate secure boot (aka DRM).
Posted on Reply
#2
The Von Matrices
I guess people with Samsung laptops can now finally use them with operating systems other than Windows.
Posted on Reply
#3
cdawall
where the hell are my stars
Go jetway!
Posted on Reply
#4
spectatorx
"Malicous firmware/bios/uefi" a.k.a. firmware/bios/uefi allowing user to do with bought device anything user wish to.
Posted on Reply
#5
Frick
Fishfaced Nincompoop
by: spectatorx
"Malicous firmware/bios/uefi" a.k.a. firmware/bios/uefi allowing user to do with bought device anything user wish to.
Or, you know, allowing people to install serious malware.
Posted on Reply
#6
Animalpak
So maybe the virus now can be inside the motherboard not anymore on HardDisk ?

And then how you clean the motherboard bios ? Buying new one ?
Posted on Reply
#7
_JP_
by: Animalpak
So maybe the virus now can be inside the motherboard not anymore on HardDisk?
Yes, it WILL be in the motherboard, not the HDD.
by: Animalpak
And then how you clean the motherboard bios ? Buying new one ?
No. You just have to remove the infected chip out and install a clean one, or just reprogram (with an external programmer) the infected one, just like in the CIH days.
Posted on Reply
#10
Sabishii Hito
I forgot AMI's HQ was only about 20 minutes away from where I live.
Posted on Reply
#11
Ferrum Master
good news... I hated that thing... DRM is double edged sword that is implemented in very wrong fashion... shoo shoo get lost... I want to really own the device I buy, not just lend it...
Posted on Reply
#13
Rebel333
This might excellent news, does this mean we are going to see more customizable bios, such as adding memory timings, overclocking CPU, GPU, changing voltages, etc in Samsung laptops?
Posted on Reply
#14
cadaveca
My name is Dave
by: Rebel333
This might excellent news, does this mean we are going to see more customizable bios, such as adding memory timings, overclocking CPU, GPU, changing voltages, etc in Samsung laptops?
Nope.


I've got AMI UEFI editing tools. I posted I had them many months ago.


When you go to update BIOS, the BIOS is checked if it is "official" BIOS. This is the mechanism that prevents you from flashing BIOS from a different product to your board.


So, now, someone could write "I LOVE SPAGETTINI" a billion times, and your board would flash it to the BIOS chip, thinking it was a BIOS.


And I got my softwares off of Jetway's FTP as well. This is hardly new news, honestly, Jetway's FTP was open for a long long time(literally years), as was ASUS's(again, years, you can find lots of posts about it), and several other board makers. Today, all these FTP's are blocked from open public access.


Seems like Adam Caudill was just looking for some traffic! Publically leaking that key and other infos is very much a dick move.
Posted on Reply
#15
Jorge
It's sad and malicious that some companies are so callous.
Posted on Reply
#16
PopcornMachine
Well I guess no other hum had done something incredibly insanely stupid today.

Someone had to step up and do it.

That's the problems with the keys and certificates and stuff. Good in theory, but you've got to consider the weakest link in the chain.

Depresses that I too am a member of this ignoble group.

Ok, rant over. Have a nice day.
Posted on Reply
#17
Steven B
there are some leaked tools out there already that will allow you to flash boards with a BIOS not for that board. However this is great, because now vendors will have to one up their security, i mean do you guys think their security was so low that any motherboard maker could hack eath other's UEFI? Some vendors don't allow such easy access to their UEFI's as they have ot make up their own modules, for instance memory OC profiles is a custom module, as is UEFI profile sharing, and other stuff like that. I mean sure there are some vendors who don't use much security, some very big ones too, but other vendors can put on good security, which will probably become even greater with this.

I am sure AMI with their nice monopoly will do something about it.
Posted on Reply
#18
ironwolf
The vendor had the following to say:

Posted on Reply
#20
hkbeta
great article... or not

Let me tell you something else. On a public FTP there is the source code for Windows 8. And on the same *public* FTP there is the complete source code for World of Warcraft (all of them). And on another public ftp you can find a program that let's you decrypt any encrypted ZIP and RAR file. And of course there's a FTP where you can find... nevermind, I think you got the point.

So techpowerup editors please start and write about all of the above, no need for a link to the FTP, if I tell you it's true, then it's true. Or should I write this on a blog to believe me?
Posted on Reply
#21
W1zzard
by: hkbeta
Let me tell you something else. On a public FTP there is the source code for Windows 8. And on the same *public* FTP there is the complete source code for World of Warcraft (all of them). And on another public ftp you can find a program that let's you decrypt any encrypted ZIP and RAR file. And of course there's a FTP where you can find... nevermind, I think you got the point.

So techpowerup editors please start and write about all of the above, no need for a link to the FTP, if I tell you it's true, then it's true. Or should I write this on a blog to believe me?
You can find the leaked AMI source code yourself, it's not that difficult.
Posted on Reply
#22
Baum
posting a link just poses more risk than use for tpu...
use your giyf skills or you are wrong here anyway

well i wasn't able to get the source code myself just to see it out of curiosity :rolleyes:
Posted on Reply
#23
btarunr
Editor & Senior Moderator
by: hkbeta
So techpowerup editors please start and write about all of the above, no need for a link to the FTP, if I tell you it's true, then it's true. Or should I write this on a blog to believe me?
google.com
Posted on Reply
Add your own comment