The Core Weakness of the Cybersecurity Industry: Lazy Key Management
There’s a problem within the cybersecurity industry. Whether it’s Microsoft not updating their Azure key pair for their cloud or SolarWinds having their private keys breached, you’ll find that many companies are lazy with their key management. Typically this relates to revealing a trusted signing (private) key that is associated with a verifying (public) key. Now a new posting from Binarly outlines that around 200 computer systems with secure boots are completely broken:
This relates to the ability of a computer to have a secure boot process and which cannot be tampered with, and which removes the threat from BIOS rootkits. To overcome this, the industry has developed UEFI — the Unified Extensible Firmware Interface — and which uses public key encryption to block any additional code that has not been digitally signed by a pre-approved entity.
The team at Binarly has now demonstrated a compromise to the secure boot process a range of devices including Acer, Dell, Intel, Fujitsu, HP, and Lenovo:
