Alex Matrosov

PKFAIL: Supply-Chain Failures in Secure Boot Key Management

Modern computing heavily relies on establishing and maintaining trust, which begins with trusted foundations and extends through operating systems and applications in a chain-like manner. This ensures that end users can confidently rely on the integrity of the underlying hardware, firmware, and software. One of the most prevalent mechanisms for enforcing trust in the UEFI firmware ecosystem is Secure Boot. Secure Boot ensures that only digitally signed and verified software is executed during the system boot process, safeguarding against attacks on “external” firmware components and boot loaders. A key component of Secure Boot is the Platform Key (PK), the root-of-trust key used for managing the cryptographic material that validates external components and bootloaders before execution. Given its critical role, one would expect all best practices for cryptographic key management to be meticulously followed… right?

In this talk we will unveil PKFAIL, a firmware supply-chain security issue affecting major device vendors and hundreds of device models. PKFAIL is the result of shipping default test keys included by IBVs in their reference implementation—a problem that is already known since 2016 but was clearly forgotten by the firmware industry. Given these test keys leaked during the various data breaches of the past few years, an attacker can leverage PKFAIL to completely bypass Secure Boot on affected devices. As we will demonstrate during our presentation, PKFAIL makes it extremely straightforward to bootkit affected devices and to launch advanced firmware-level threats, such as BlackLotus.

In our presentation, we will also offer a retrospective industry-wise analysis on PKFAIL, based on our extensive dataset of UEFI firmware images, spanning hundreds of product lines marketed over the past decade.

Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has over two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE). Alex is the author of numerous research papers and the bestselling award-winning book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others. Additionally, he was awarded multiple times by Hex-Rays for his open-source contributions to the research community.