But the leaked key was found in firmware released as early as 2018 and as recently as this year. To find out how common the practice still is, Binarly’s researchers scanned their database of tens of thousands of firmware binaries collected over the years and identified 22 different AMI test PKs with warnings “DO NOT TRUST” or “DO NOT SHIP.” Those keys were found in UEFI firmware binaries for almost 900 different computer and server motherboards from over 10 vendors, including Acer, Dell, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro. Combined, they accounted for more than 10% of the firmware images in the dataset.
Those keys cannot be trusted, as they were likely shared with many vendors, OEMs, ODMs, and developers — and were likely stored insecurely. Any of them may already have been leaked or stolen in undiscovered incidents. Last year, a data dump published by an extortion gang from motherboard and computer manufacturer Micro-Star International (MSI) included an Intel OEM private key and a year before a data leak from Lenovo included firmware source code and Intel Boot Guard signing keys.
Binarly has released an online scanner where users can submit copies of their motherboard firmware to check whether it uses a test key, and a list of affected motherboard models is included in the company’s advisory. Unfortunately, there’s not much users can do until vendors provide firmware updates with new, securely generated PKs, assuming their motherboard models are still under support. The earliest use of such test keys found by Binarly goes back to 2012.