Login
Security Incident : Code Smells β Not Replaced Constants
The Secure Boot Case Study
Attackers can break through the Secure Boot process on millions of computers using Intel and ARM processors due to a leaked cryptographic key that many manufacturers used during the startup process. This key, called the Platform Key (PK), is meant to verify the authenticity of a deviceβs firmware and boot software.
Unfortunately, this key was leaked back in 2018. It seems that some manufacturers used this key in their devices instead of replacing it with a secure one, as was intended. As a result, millions of devices from brands like Lenovo, HP, Asus, and SuperMicro are vulnerable to attacks.
If an attacker has access to this leaked key, they can easily bypass Secure Boot, allowing them to install malicious software that can take control of the device. To fix this problem, manufacturers need to replace the compromised key and update the firmware on affected devices. Some have already started doing this, but it might take time for all devices to be updated, especially those in critical systems.
The problem is serious because the leaked key is like a master key that can unlock many devices. This issue highlights poor cryptographic key management practices, which have been a problem for many years.
What Are βNot Replaced Constantsβ?
In software, constants are values that are not meant to change during the execution of a program. They are often used to define configuration settings, cryptographic keys, and other critical values.
When these constants are hard-coded into a system and not updated or replaced when necessary, they become a code smell known as βNot Replaced Constants.β
Why Are They a Problem?
When constants are not replaced or updated:
- Security Risks: Outdated or exposed constants, such as cryptographic keys, can become security vulnerabilities. If these constants are publicly leaked or discovered by attackers, they can be exploited to gain unauthorized access or control over a system.
- Maintainability Issues: Hard-coded constants can make a codebase less maintainable. Changes to these values require code modifications, which can be error-prone and time-consuming.
- Flexibility Limitations: Systems with hard-coded constants lack flexibility, making it difficult to adapt to new requirements or configurations without altering the source code.
The Secure Boot Case Study
The recent Secure Boot vulnerability is a perfect example of the dangers posed by βNot Replaced Constants.β Hereβs a breakdown of what happened:
The Vulnerability
Researchers discovered that a cryptographic key used in the Secure Boot process of millions of devices was leaked publicly. This key, known as the Platform Key (PK), serves as the root of trust during the Secure Boot process, verifying the authenticity of a deviceβs firmware and boot software.
What Went Wrong
The leaked PK was originally intended as a test key by American Megatrends International (AMI). However, it was not replaced by some manufacturers when producing devices for the market. As a result, the same compromised key was used across millions of devices, leaving them vulnerable to attacks.
The Consequences
Attackers with access to the leaked key can bypass Secure Boot protections, allowing them to install persistent malware and gain control over affected devices. This vulnerability highlights the critical importance of replacing test keys and securely managing cryptographic constants.
Sample Code:
Wrong
def generate_pk() -> str:
return "DO NOT TRUST"
# Vendor forgets to replace PK
def use_default_pk() -> str:
pk = generate_pk()
return pk # "DO NOT TRUST" PK used in production
Right
def generate_pk() -> str:
# The documentation tells vendors to replace this value
return "DO NOT TRUST"
def use_default_pk() -> str:
pk = generate_pk()
if pk == "DO NOT TRUST":
raise ValueError("Error: PK must be replaced before use.")
return pk # Valid PK used in production
Ignoring important security steps, like changing default keys, can create big security holes. This ongoing problem shows how important it is to follow security procedures carefully. Instead of just relying on written instructions, make sure to test everything thoroughly to ensure it works as expected.
