AMI Firmware Source Code, Private Key Leaked

Trailrunner7 writes "Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. Researcher Brandan Wilson found the company's data hosted on an unnamed vendor's FTP server. Among the vendor's internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture. AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers. 'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'"

Re:Keys and source...

[Truekaiser]

Actually, yes it can.
"“By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated and installed for the vendor’s products that use this Ivy Bridge firmware,” "

It will allow those with secure boot, that is on and has no user visible way of shutting it off. Because every extra option in a uefi/bios costs system builders like dell and hp money. a way of disableing it by flashing a bios,uefi image with that option or it permanently set to off.

Re:Link?

[mjr167]

There is nothing wrong with being on "wife support", assuming she can afford to keep you. Change your title to "home maker" and think of it as an opportunity.

My husband stays home with our kids building block towers and signing about the letter A all day. There is actually a growing community of stay at home husbands, and if you think about it, it is really the next logical step towards equality. If we want women to have the option to go out and earn a 6 figure salary, then we need to be willing to let men stay home and feel proud about it.

If you have no kids to raise, then take the opportunity to reinvent yourself. Start a non-profit. Make soda can sculptures that you can sell at your local craft show. Volunteer. These are the things we expected and praised women for doing and there is no shame in men doing them to.

So pick up your head, take pride in the fact that you have a loving, supportive wife, and turn this into an opportunity. The value of a man, or woman, is not measured solely by their income, but rather how they work to better others.

Implication to secure boot...

[philipmather]

Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured. Secure Boot is dead, long live security.