Security experts Adam Caudill and Brandon Wilson have come across an open FTP server in Taiwan that contained the source code for various versions of American Megatrends (AMI) BIOS and even the private signing key for Unified Extensible Firmware Interface (UEFI) updates.
“By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor’s products that use this ‘Ivy Bridge’ firmware. If the vendor used this same key for other products - the impact could be even worse,” Caudill explained on his blog.
“This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection,” he added.
The worst part about this leak is that the source code for the AMI firmware is from February, which means it’s not outdated.
The expert says he has notified both AMI and the company in charge of the leaky FTP server.
Update. American Megatrends has released an official statement regarding the incident to clarify a few things.
First of all, the company explains that the FTP server in question is maintained by one of AMI’s customers, not AMI itself.
Furthermore, the exposed security keys are actually just test keys.
“Test keys are normally used for development and test purposes since developers do not have access to production keys. For production-level BIOS that would be shipped to consumers, AMI’s procedures for creating such a BIOS require the customer to procure or generate production keys,” the company stated.
“Therefore, even though the test keys were unfortunately leaked via this unsecure FTP site, a production level private key used by a customer cannot be obtained with the information made public. Thus, AMI can state that this leak will not compromise the security of systems in the field if the BIOS for the production machines are created using production keys.”