Secure Boot is busted on hundreds of PCs from Dell, Acer, Intel, and others

And according to an Ars Technica post, “more than 200 device models” from these vendors are affected by one particular key that was posted to an open GitHub repository in late 2022.

Binarly is calling the exploit “PKfail.” The meat and bones of the situation is that a lot of devices in both the consumer and B2B spaces are now vulnerable to attacks on the boot process. This is one of the most dangerous ways in which a computer can be compromised, though attacks do need to be particularly complex to succeed.

It’s the kind of exploit that state-sponsored hackers love, because it’s possible to target extremely specific devices and run code that’s almost undetectable once you get into Windows or a similar OS. (Larger-scale attacks on general users are also possible, but less likely.)

One of the more upsetting issues highlighted by the report is that several vendors actually shipped devices with firmware labeled “DO NOT TRUST” or “DO NOT SHIP,” indicating that they knew about the compromised state of the keys… and ignored it.

It should be easy enough for hardware vendors to update device firmware and remove the compromised binary files, though the breadth of the vulnerability means that some PCs could require multiple firmware updates to cover all affected components.

Binarly has created an online tool for PKfail detection that lets you scan firmware files to see if the corresponding devices are using the compromised keys. Ars Technica’s post goes into more depth and has a full list of the affected hardware models.

Perhaps the most disturbing revelation in all of this is that a single careless post, which was in no way malicious, can instantly make so many devices from so many manufacturers unsafe. And due to the nature of Secure Boot, there doesn’t seem to be any way to stop it from happening again aside from being extremely careful.