Windows boot processes are being compromised via platform key leaks, security vendor Hornetsecurity has warned.
According to the vendor, these leave whole systems exposed. However, the Windows boot process is often overlooked by security teams.
“These leaks of platform keys, including PKFail, exposed vulnerabilities,” its website said.
Hornetsecurity dug into the challenge via its Security Swarm podcast.
Windows features like Trusted Boot and Secure Boot are about stopping rootkits and other malware from hijacking boots. But “things aren’t as secure as they seem”, the company said.
Known vulnerabilities not dealt with
As explained by Michael Crider, writing for news site PCWorld, PKFail was a Secure Boot “disaster”.
The reason? Hardware shipped with known software vulnerabilities.
“The list of vulnerable devices ballooned to almost a thousand individual models of desktops, laptops, and other x86-based hardware,” Crider wrote.
Hornetsecurity agreed.
“These vulnerabilities are being exploited by attackers, the potential risks they pose to your system, and what you can do to safeguard your devices.”
A leaked test key used across 800 motherboard models meant attackers could bypass secure boot and load malicious software, the vendor said.
The Windows boot process is complex.
“It includes multiple phases, from basic hardware checks to kernel initialisation and anti-malware checks, all before you even see the login screen,” said Hornetsecurity.
Firmware and hardware threats
In addition, firmware vulnerabilities are widespread. Network cards, storage devices, and other components with firmware can be compromised, the vendor said.
Rootkits and bootkits are hard problems to fix.
“They can survive operating system reinstallation and are incredibly difficult to detect,” warned Hornetsecurity.
“You need to keep your firmware updated just like your operating system and software,” it said.
“While less common than other attacks, these vulnerabilities should be addressed seriously. If you suspect a machine is infected, it’s often best to discard it.”
According to Crider, PKfail infections require at least a BIOS or UEFI motherboard.
“You can use Binarly’s online detection tool to see if your PC is affected.”
Additionally, Hornetsecurity said its Advanced Threat Protection (ATP) offering can help organisations.
This includes threat intelligence, detection and code-execution prevention strategies.
( Image by Di © Raimond Spekking / CC BY-SA 4.0 via Wikimedia Commons )
_in_a_Winbond_W39V040APZ-5491.jpg){kind=link}
