“The complexity of the supply chain is overgrowing our ability to effectively manage the risks associated with third-party suppliers,” Binarly researcher Fabio Pagani wrote Monday. “PKfail is a great example of a supply chain security failure impacting the entire industry. However, these risks could be mitigated and totally avoidable if we focus more on delivering a secure-by-design philosophy.”
Previously, all discovered keys originated from AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. Since July, Binarly has found keys that originated with AMI competitors Insyde and Phoenix.
Binarly has also discovered the following three vendors also sell devices affected by PKfail:
Monday’s post went on to say: “Based on our data, we found PKfail and non-production keys on medical devices, desktops, laptops, gaming consoles, enterprise servers, ATMs, POS terminals, and some weird places like voting machines.”
Binarly officials declined to identify specific models, citing non-disclosure agreements, because no fixes are yet available. The updated figures will be discussed at the LABScon security conference scheduled for next week.
The discovery of additional device models and platform keys came through submissions to a free detection tool provided by Binarly. In the months since the PKfail research was published, the tool received submissions of 10,095 unique firmware images. Of those, 791, or 8 percent, contained the non-production keys.
PKfail undermines the assurances provided by Secure Boot, a protection that is mandated for some government contractors and is required in many corporate settings. Secure Boot is also considered a best practice for those who face high-risk threats. For people or devices that don’t use Secure Boot, PKfail poses no added threat. Last month, PKfail was assigned the designations CVE-2024-8105 and VU#455367.