Forgot your password?
typodupeerror
Security Hardware

AMI Firmware Source Code, Private Key Leaked 148

Posted by Soulskill
from the never-trust-others-to-respect-your-property-as-much-as-you-do dept.
Trailrunner7 writes "Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. Researcher Brandan Wilson found the company's data hosted on an unnamed vendor's FTP server. Among the vendor's internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture. AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers. 'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'"
This discussion has been archived. No new comments can be posted.

AMI Firmware Source Code, Private Key Leaked

Comments Filter:
  • This could be very very bad..
    • by Anonymous Coward

      And this also could be great. Like everything, 90% of firmware sucks. Unlike most other software, replacing the firmware usually isn't even close to an option, and I loathe almost every single hardware company as a result of this.

      • Unlike most other software, replacing the firmware usually isn't even close to an option If you do some research [coreboot.org] before buying a new main board its a lot closer.

        • by Junta (36770)

          Of course, considering the selection of coreboot applicable hardware is extremely limited and mostly ancient...

    • by briancox2 (2417470) on Friday April 05, 2013 @02:06PM (#43370571) Homepage Journal
      Bad? Part of the UEFI barrier for other OS's has just been Open Sourced.

      And there was much rejoicing.
      • by Anonymous Coward

        No it hasn't. You're not going to be able to use this to bypass UEFI secure boot even on AMI hardware let alone it being applicable to hardware at large.

      • Bad? Part of the UEFI barrier for other OS's has just been Open Sourced.

        And there was much rejoicing.

        Or a piece of malware will now sign itself and change the keys making it impossible to remove. It would be better totally unlocked otherwise. If the keys were in ROM where they could not be rewritten then yes there will be much rejoicing but who is to say the malware wont reimage itself in the UEFI and put another set of keys maybe randomly generated on the host?

        • Or a piece of malware will now sign itself and change the keys making it impossible to remove. It would be better totally unlocked otherwise. If the keys were in ROM where they could not be rewritten then yes there will be much rejoicing but who is to say the malware wont reimage itself in the UEFI and put another set of keys maybe randomly generated on the host?

          You mean like a root kit? That's only existed for forever, and UEFI has been shown to be infeffective in the real world at stopping them. So your illusion of security was shattered. Pick up your hat and move on ... designing a more workable security scheme.

          • A rootkit in a non signed way is impossible on UEFI unless you disable it by default.

            However if it is signed and the AV software does not have the access to it then you are fucked. It is an OS reinstall. Worse if it uses the keys to reimage the rom then it is bricked.

            • Ok. And in the real world, there is no evidence that it is possible to prevent rootkits from eventually being signed on a UEFI. Because now, they are going to be...agreed?

              So that means we are right back to where we started in the first place. UEFI is useless at best, burdensome and unfair for people wanting to add/change the OS at worst.

              Time to toss it.
  • Link? (Score:5, Insightful)

    by visualight (468005) on Friday April 05, 2013 @01:52PM (#43370357) Homepage

    I could care less about the security implications. Where's the link to the full key and source code?

    • by Anonymous Coward

      Something tells me the admin of AMISource.com [amisource.com] is about to have a bad day!

      • by stafil (1220982)

        Just out of curiosity I would love to have a look at their code. I am sure it will appear in piratebay soon.

        Anybody knows if it is illegal to download it and have a peek at it?

        • I think it would be perfectly legal.
          To me it seems the same as having Marijuana seeds or spores of a psilocybin mushroom. It's perfectly legal to be in possession of them. However, if you attempt to start growing them, it's your ass.

          Bad analogy?
        • by BitZtream (692029)

          Unauthorized access to a computer, computer network or network resources is illegal in the United States of America.

          No matter what anyone tells you, it is never actually legal for you to steal from someone else.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      THEN CARE LESS.
      The phrase is "I couldn't care less", you troglodyte.

    • From one of the features FA:

      "I’ve contacted both the vendor involved and AMI to alert them to the issue. Obviously, I won’t be releasing the name of the vendor, the FTP address, or anything that was seen on the server."

      Maybe we won't see it ever :(

      • We shouldn't believe him then. The old 'tits, or GTFO' applies. In fact, it sounds like attempted extortion.

    • by Anonymous Coward

      *ahem* http://www.mmnt.net/db/0/0/ftp.jetway.com.tw

    • by Anonymous Coward

      http://pastebin.com/LFGhmfS9

    • This has the link, but that'll do you no good [virustracker.info] at this point.

      In related news, I'm more interested in buying an AMI motherboard now. Especially one with CoreBoot flashed over it.

      • So you are more interested in purchasing something malware writters who now know the keys to sign their malware as a rootkit making it impossible to remove?

        • Only one of my machines now has a BIOS that's signed (UEFI). The risk of a dangerous flashing malware is just the same as it has been since the early 90's, no?

          I always seem to have to reboot into DOS to actually flash when I want to, though. If there's a general way to flash a BIOS from linux, I'm interested.

          • by BitZtream (692029)

            The risk of a dangerous flashing malware is just the same as it has been since the early 90's, no?

            No. This key is still not public, so it still requires the hacker going after you to guess an incredibly long number of bits correctly in order to fool your system into thinking it is valid.

            Your BIOS's from the 90s did basic checksum tests that were designed for detecting corruption, not intentional modifications. They use basic CRC32 type of checksums, trivial to fake with simple modification of any 4 bytes in the file, which you can determine with a single simple function as they weren't designed to be

  • by Anonymous Coward

    Besides all the gloom and doom, I can see a use case for this. someone tell coreboot.org? it would make updating your (ami)bios with embedded linux a bit simpler, eh?

  • by Meshugga (581651) on Friday April 05, 2013 @02:05PM (#43370561)

    ...it's not even funny.

  • by Anonymous Coward

    Why is only the worst case is mentioned? This can actually be good and help projects like coreboot support more hardware. Or maybe someone will make opensource fork of their firmware as there is a lot to improve in current uefi implementation.
    As for the viruses I don’t think even with the signing key we will not see many bios viruses as it is really hard to write that actually does anything beside bricking the hardware. And on most systems it is impossible to update bios after the os is loaded.

  • What a waste of time.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      There is nothing wrong with SecureBoot, and in fact is a good idea. The problem is security by obscurity. Current SecureBoot implementations are just hoping you never discover the private key. A CORRECT way to do it is to allow custom keys to be loaded by people who have physical access to the machine. If you want Windows to be booted, you load their public key into your secure boot list. If you want to also boot Fedora/Ubuntu/Debian/Redhat, you install their public key. If you want to install a custom Linu

      • Everything is wrong with secureboot.

        Look, all we need is a simple BIOS option to that allows users to enable OS installs on next boot. When active it could flash part of the BIOS with the OS boot loader. FUCKING DONE. The OS will then be able to boot immediately, and can kick off it's own security chains to validate the rest of the kernel / etc. Use public key crypto in the "early kernel" loader and the existing firmware OS code can verify signatures of new kernel updates without being beholden to s

  • by MugenEJ8 (1788490)

    'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'

    It's safe to assume the latter, as malware commanders don't want the computer offline or under scrutiny. Just give them another vector to attack and easier ways to cover up the bot.../p

  • There isn't anything useful that has been leaked.
    • Would you be so kind to elaborate? Thanks.
    • Re:NOTHING IS LEAKED (Score:4, Informative)

      by dutchwhizzman (817898) on Friday April 05, 2013 @06:00PM (#43373465)

      md5sum Downloads/018s.zip

      4ebc77526c2ea7c0387cc993252e682b Downloads/018s.zip

      md5sum 018s/Keys/FW/.priKey

      198e238540b93095f02ee763bdadba86 018s/Keys/FW/.priKey

      There are no American tanks in Baghdad. The situation is completely under control.

    • Ahhhh yes, no American Tanks... only burning hulls that our Superior Forces are defeating everywhere! Americans are retreating and begging for mercy! Yes... it's out now, and I only checked a few places that had nothing at the time I posted previously (obviously I didn't look in the "right" places!).
  • by Anonymous Coward

    "I’ve contacted both the vendor involved and AMI to alert them to the issue. Obviously, I won’t be releasing the name of the vendor, the FTP address, or anything that was seen on the server."

    If Adam Caudill won't disclose it then I will.

    ftp.asus.com.tw [asus.com.tw] (which is currently down)

  • by philipmather (864521) on Friday April 05, 2013 @02:39PM (#43370969) Homepage Journal
    Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured. Secure Boot is dead, long live security.
    • by Sulphur (1548251)

      Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured.

      Secure Boot is dead, long live security.

      All hail our Moot Boot overlords.

    • Implications to secure boot are probably none, when it comes to exposing this key. However, there may be weaknesses in the AMI code that could eventually lead to circumventing secure boot. It's rather academical at this moment, but they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files. The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a sing
      • ...they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files.

        Well that to.

        The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a single main board.

        TFA implies it was for "Ivy bridge" so yeah probably tied to chipset, maybe multiple boards but the point is they've demonstrated something arguably close to gross incompetence, misplacing source code is careless, misplacing the signing key is a different league. This is a commercial product how hard would it be to have the key in two parts, held by two individuals on the dev/release team?

        This system is built purely on trust and its gone, I mean, yeah "I'm sure they'll be more careful next

  • by Anonymous Coward

    magnet:?xt=urn:btih:bd8b50ebfc73b4f0ea53bda4f7f6a1861b1eb19c&dn=leaked%5Fbios

  • by ThatsNotPudding (1045640) on Friday April 05, 2013 @03:08PM (#43371387)
    I'm hoping we're about two years away from a real PC motherboard initiative along the lines of Raspberry PI. Wouldn't that be nice? A motherboard that isn't infected with vulnerable OEM black boxes and proprietary BS code and OS lock-in?
  • by Anonymous Coward

    Posting as AC for hopefully obvious reasons. I discovered the server while Googling for some obscure AMD datasheets and passed the information off to Mr. Wilson. Not going to provide the exact domain name of the server, but it's operated by Jetway.

    In addition to this BIOS code, it contains what appear to be full design files for a few motherboards (Gerbers, schematics, test software) and a number of datasheets (with prominent CONFIDENTIAL watermarks) for chips made by Nvidia, Intel, Atheros, Realtek and oth

  • Custom Firmware? (Score:4, Insightful)

    by CrimsonKnight13 (1388125) on Friday April 05, 2013 @03:38PM (#43371759) Homepage
    Would it be possible that more ambitious/less sinister programmers and/or modders could create a highly customized firmware or BIOS that allowed for more options? I guess I see a positive outcome to any leaked source code rather than the negative weaponry most people imagine.
    • by mrand (147739)

      Possible? Yes. Likely? That's somewhat less clear.

      Did it include the build environment also, or just the raw source? Does the source match up with your chipset VERY closely (if not, do you have long road ahead)?

      When compiling a Jasper Forest BIOS for example, there is:
      1. Source for the Jasper Forest family of CPUs (which is different than the source for all other familes)
      2. Source for any BIOS-supported ICs on the system which differ from Intel's reference design (perhaps you have a different super I/

      • I appreciate the insight. I wasn't sure if the source was a generic AMI base or a more specific firmware/BIOS build for a single motherboard.
  • In the best and most possible case it would allow the evil open sources projects to boot the computer without asking the permission and paying the Microsoft.

The only thing cheaper than hardware is talk.

Working...