AMI BIOS source code and UEFI signing key found on public FTP

By on April 8, 2013, 9:41 AM

The source code and unique UEFI signing test key for firmware developed by American Megatrends Inc. (AMI) has been discovered on an FTP server in Taiwan. What makes the news especially damning is that the sensitive data was allegedly stored on a public server owned and operated by a third party vendor (perhaps Jetway). As such, virtually every board that runs AMI Aptio UEFI BIOS may be vulnerable to attack which includes most socket LGA1155 and FM2 motherboards as well as some AM3+ boards.

Researcher Brandon Wilson discovered the code among a slew of internal e-mails, system images, photos and even private specification sheets. The private signing test key was also included and leaked which makes it possible and easy for someone to create malicious UEFI updates that can be validated and installed on Ivy Bridge firmware, according to security expert Adam Caudill.

Caudill recently spoke with AMI about the issue and learned that the signing key is the default test key. AMI instructs customers to change this key before building for a production environment although it’s not known if the vendor in question adhered to this advice. Furthermore, the Ivy Bridge code was unmodified.

It’ll all come down to whether or not the vendor changed the key code or not but either way, it’ll be interesting to see what becomes of the source code over time once other researchers get their hands on it. As Caudill noted on his blog, this kind of leak is a dream come true for advanced corporate espionage or intelligence operations.

User Comments: 6

Got something to say? Post a comment
howzz1854 said:

We recommend owners to change their oil every 3000 miles. ~ think on that.

Guest said:

What kind of oil ???

Really, I think it's better for a change of conventional oil every 3000 Km instead miles!

VitalyT VitalyT said:

Track the good people down, and give them some time to think over this, say, 10 years behind bars, for compromising security of millions of sold computers.

1 person liked this | JC713 JC713 said:

Wow. I bet there are tons of similar instances around the world that no one knows about.

Jim$ter said:

Since were talking about changing oil...I change mine when my Accord tells me too which is around 9000 miles I think the Honda engineers know when their own engines need oil changes. You know old cars always said in the Manual to change oil every 7500 miles...till the oil companies got it in everyone's head that you have to change it every 3000 Miles. Think about that!

howzz1854 said:

Hence my point, no one follows what's recommended.

on a side note, you can get the oil analysed by a lab. but better the oil you put in your car, the longer it can stay in your car. MobileOne for example is good in most cars for up to 10,000 miles give and take. it all depends on how you drive, it wears differently.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.