Hard to believe but Secure Boot BIOS security has been compromised on hundreds of PC models from big brands because firmware engineers used four-letter passwords

PC detail
(Image credit: Future)

Now, I'll admit my own password hygiene isn't always the best, though I have graduated from the days when I used "xxxxxx" for a few non-critical accounts under the reverse psychology assumption that it's so obviously insecure, nobody would bother trying it. Genius, I know. But even I realise a four-character password is a big no-no.

And yet that's exactly what was used to protect an encrypted file that was critical to the fundamental integrity of the Secure Boot, a UEFI BIOS security layer designed to ensure that a device boots using only the software that is trusted by the PC maker itself.

Ars Technica reports that, "researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, HP, Intel, Lenovo, Supermicro and others. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022." Ouch.

Apparently, a critical cryptographic key for Secure Boot that forms the root-of-trust anchor between the hardware device and the UEFI firmware that runs on it and is used by multiple hardware manufacturers was published online, protected only by a four-character password. Security outfit Binarly spotted the leak in early 2023 and has now published a full report outlining the timeline and development of the problem.

Part of the problem, as we understand it, is device makers basically using the same old keys over and over again. To quote Binarly, the security failure involves, "no rotation of the platform security cryptographic keys per product line. For example, the same cryptographic keys were confirmed on client and server-related products. Similar behavior was detected with Intel Boot Guard reference code key leakage. The same OEM used the same platform security-related cryptographic keys for firmware produced for different device manufactures. Similar behavior was detected with Intel Boot Guard reference code key leakage."

The report includes a list of hundreds of machines from the brands mentioned above that have all been compromised by the leak. For the record, some of those systems include Alienware gaming desktops and laptops. Security experts say that for those devices that use the compromised key, it represents an unlimited Secure Boot bypass allowing malware to be executed during system boot. Only a direct firmware update for each device can secured affected devices.

Your next machine

Gaming PC group shot

(Image credit: Future)

Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.

All that said, Ars Technica quotes many of the brands involved essentially claiming that all of the relevant systems have now either been patched or taken out of service, which is presumably why Binarly is now publishing details of the security breach that would allow bad actors to take advantage of it.

That all seems to indicate that this is now a historical problem rather than a live security risk. But it also underlines how easily even well-conceived security features can be undermined if not implemented properly. As one security expert interviewed by Ars said, "the story is that the whole UEFI supply chain is a hot mess and hasn't improved much since 2016."

Anyway, if you have any concerns, hit up the full report and have a looksee if any of your devices appear. If they do, a BIOS update is very likely in order.

Jeremy Laird
Hardware writer

Jeremy has been writing about technology and PCs since the 90nm Netburst era (Google it!) and enjoys nothing more than a serious dissertation on the finer points of monitor input lag and overshoot followed by a forensic examination of advanced lithography. Or maybe he just likes machines that go “ping!” He also has a thing for tennis and cars.

Read more
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
An artistic image where a digital progress bar is represented by a physical wooden block.
The nail-biting, 100-hour BIOS update stream which garnered 88,000 peak views ends with a cut to black
Nvidia RTX 4090 Founders Edition graphics card
A single RTX 4090 managed to brute force crack an Akira ransomware attack in just 7 days
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Microsoft Windows 11
If you installed Windows 11 with certain security updates and a USB stick, you may not get any more security updates warns Microsoft
Latest in Hardware
A woman wearing a VR headset with dramatic, colourful lighting across the background
'World’s smallest LEDs' could lead to accurately lit screens with 127,000 pixels per inch and much more immersive VR
The NES themed 8BitDo Retro mechanical gaming keyboard on a blue background
I love the 8BitDo Retro C64 keyboard but I'd pick its cheaper NES-themed model near its lowest price ever during Amazon's Big Spring Sale
The snazzy red and black HyperX Cloud Alpha wireless headphones float in a teal void. The microphone is attached to the headset.
The best wireless gaming headset is now even better in the Amazon Big Spring Sale, boasting a more than $50 discount
A chip being held up in an Intel fab
Intel is reportedly 'working to finalize commitments from Nvidia' as a foundry partner, suggesting gaming potential for the 18A node
Amazon box
Don't panic! The 'Do Not Send Voice Recordings' option Amazon just removed was only used by 0.03% of customers and they can still have it
Digital generated image of people surrounded by interactive transparent and glowing panels with data. Visualising smart technology, blockchain and artificial intelligence
Now I shall demand the cookies! Proposed new browsing agreement turns the tables and lets users dictate terms to websites
Latest in News
A gigantic terracotta sentinel made of living armor
Total War: Warhammer 3's army of Cathay has broken containment and is making its way to tabletop Warhammer at last
Two brightly colored stormtroopers dressed like Run-DMC stand in front of PAX Australia's WELCOME HOME banner.
Tickets for PAX Australia 2025 are on sale now
An Enshrouded player in a recreation of Erebor from The Lord of the Rings
Kings under the Mountain! 33 Enshrouded players spent 10,000 hours to recreate this iconic location from The Lord of the Rings
A mech awakens.
Mecha Break developer is considering unlocking all mechs following open beta feedback
Lara Croft Unified Art
Tomb Raider developer Crystal Dynamics lays off 17 employees 'to better align our current business needs and the studio's future success'
A long bendy arm stealing money from people in a subway car
'You're a very long arm. You steal things. It's a comedy game,' explains developer of comedy game where you steal things with a very long arm