Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan.
Researcher Brandan Wilson found the company’s data hosted on an unnamed vendor’s FTP server. Among the vendor’s internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture.
AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers.
“By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated and installed for the vendor’s products that use this Ivy Bridge firmware,” wrote Wilson’s research partner Adam Caudill in a blogpost. “If the vendor used this same key for other products, the impact could be even worse.”
Caudill told Threatpost in an email that there are some components missing that would be needed to build an UEFI image, though for someone familiar with the technology, it’s likely a simple process, he said.
“The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,” Caudill said. “Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.”
Firmware updates are tricky and require downtime; updates aren’t usually done unless there are performance or security issues that warrant an upgrade. In short, the impact of this leak could be longstanding.
“This kind of leak is a dream-come-true for advanced corporate espionage or intelligence operations,” Caudill wrote. “The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection.”
The researchers won’t name the vendor, FTP address or release any code, and said they have informed AMI and the vendor involved. Caudill said neither he nor Wilson have received a response.
“This vendor’s lax (non-existent?) security could have much broader repercussions though. For AMI, they now have a major piece of intellectual property freely available for download by competitors,” Caudill wrote. “For users, this code could now be subject to new scrutiny – if a security issue is found in the firmware, it could potentially impact all users whose firmware is based on the leaked code.”
This is the type of situation that has spurred a lot of discussion about supply chain security, in particular, questions about pre-installed hardware manufactured abroad. The 2013 Congressional Appropriations Act signed into law March 26 mandates that NASA, the U.S. Justice and Commerce departments, and the National Science Foundation must formally evaluate the risks associated with purchasing hardware built or put together by companies owned or operating in China.
These agencies are prohibited from buying IT equipment built or assembled in China unless a top official of the Chinese vendor sits down with the FBI or another federal agency and potential cyberespionage risks are assessed, the act said. The head of the assessing agency must then report his findings to the House and Senate Committees on Appropriations and decide whether the acquisition is in the “national interest” of the U.S.
The thinking is that it would be simple for hardware built and installed along the supply chain to contain malicious code that is difficult to detect without a comprehensive and expensive inspection. A report released last year cast suspicion on Chinese network gear manufacturers Huawei and ZTE because of the companies’ close ties with the Chinese government and allegations of security risks with their equipment present inside U.S. telecommunications companies and corporations.
As for AMI, the leak has not only security implications, but could impact the manufacturer’s viability in the market.
“I have no idea why [the unnamed vendor] made this available to the public; it’s something that really shouldn’t have happened,” Caudill said. In OEM relationships, source code is provided under a strict license to enable optimization for specific systems. “This is a great example of carelessness that can have significant repercussions. I’m not sure if they didn’t realize anonymous access was enabled or if they just didn’t realize the implications of making this publicly available.”