←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 1 comments | 06 May 23 17:39 UTC | HN request time: 0.208s | source
Show context
josephcsible ◴[06 May 23 19:00 UTC] No.35844339[source]
This isn't a blow to real security, just to DRM and treacherous computing. There's no legitimate security from "Secure" Boot.
replies(2): >>35844366 #>>35845021 #
bawolff ◴[06 May 23 19:03 UTC] No.35844366[source]
Evil maids?
replies(6): >>35844387 #>>35844545 #>>35844816 #>>35845120 #>>35845414 #>>35849808 #
AshamedCaptain ◴[06 May 23 19:53 UTC] No.35844816[source]
There was this recent article (here in HN) about these "evil public charging ports that can hack your smartphone" and how there is an entire ecosystem of devices to protect against them.... when in practice no one has heard about any one single example of such evil charging port, and that in practice carrying out such attack is so target-specific and leaves so many warnings signs that the entire thing sounds implausible to say the least.

These evil maids are even more implausible than that. Has to be ridiculously targeted. If you are really targeted by such a powerful state-like entity, wouldn't it make much more sense for them to just send a NSA letter to Intel (or whatever the weakest link in your chain is, and there are plenty of extremely weak chains here, like the BIOS manufacturer) and/or backdoor the hell out of it?

Secure Boot was never about security for normal users nor security for the majority of us. This is like https://xkcd.com/1200/ all over again. At the point the attacker can write arbitrary bytes to your hard disk, its way past the point where the majority of users care.

replies(2): >>35844967 #>>35844977 #
sigmoid10 ◴[06 May 23 20:13 UTC] No.35844977[source]
It's not just about evil maids and physical access. Even if you did get root level RCE, you did not have access to screw with hardware security. With the UEFI keys, you suddenly have a whole new level of persistence, meaning that if you ever get pwned, you can basically throw your hardware in the trash, because even a system level wipe will not be a guaranteed way to clean malware.
replies(1): >>35845090 #
AshamedCaptain ◴[06 May 23 20:26 UTC] No.35845090[source]
If your attacker has root, and your system allows flashing the BIOS from root (many do), he can simply disable Secure Boot, or enroll one extra signature -- his. If the system doesn't allow flashing a BIOS even if an attacker has root access, then Secure Boot makes no difference whatsoever.
replies(2): >>35845869 #>>35846144 #
hiatus ◴[06 May 23 23:01 UTC] No.35846144[source]
What does the boot rom have to do with the root user of an operating system? How does root help you disable secure boot if there is a password to change UEFI settings for instance?
replies(1): >>35846453 #
1. IgorPartola ◴[06 May 23 23:44 UTC] No.35846453[source]
At the point where you have root you basically won. You can ship user’s data elsewhere. You can install a key logger. You can empty their bank account.

But yes if the OS also let’s you change the boot ROM then you can make your root access semi-permanent.