American Megatrends Statement on BIOS Security Compromise via Unnamed Taiwan Vendor FTP Site
Friday: April 5, 2013
- Recent disclosures via the personal blog site of an industry blogger and researcher detailed the discovery of a “leaky” FTP server from an unnamed Taiwan-based vendor containing AMI UEFI BIOS source code and suspected security key data among various internal data
- AMI would like to clarify that this leak is not the fault of AMI and is not a result of a security lapse on AMI’s behalf
- In response, AMI states that this is not a general security threat which could “create a nearly undetectable, permanent hole in a system’s security” if the manner in which production-level BIOS is signed and created uses a production key
- Concerned parties should contact their AMI Sales Representative or AMI Technical Marketing at 1-800-U-BUY-AMI for more information regarding this recent disclosure
NORCROSS, GEORGIA - American Megatrends Inc. (AMI), a global leader in BIOS, remote management and network storage innovations, released the following statement in relation to recent disclosures via the personal blog site of an industry blogger and security researcher regarding the discovery of a “leaky” FTP server from a Taiwan-based vendor which contained AMI UEFI BIOS source code among various internal data.
According to the post, the information available on this open FTP server included among other things “…source code for different versions of UEFI BIOS firmware from AMI for a specific hardware platform and a suspected signing key for that firmware.”
First and foremost, AMI would like to clarify that the vendor referenced in the blog post is a BIOS customer of AMI, and the unsecure FTP site that contained the BIOS source code and security key data is maintained by AMI’s customer, not AMI itself. Therefore, the leak of this data was not the fault of AMI and by extension not a result of a security lapse on AMI’s behalf.
As this would imply a serious threat to AMI intellectual property and security issues for the BIOS utilized for these platforms, AMI was compelled to respond in order to allay concerns regarding any potential security threats that might be implied from this news. AMI states that this is not a general security threat which could “create a nearly undetectable, permanent hole in a system’s security”, if the manner in which production-level BIOS is signed and created uses production keys.
To explain in more detail, AMI has examined the security keys referenced in the blog post and confirmed that the keys in question are test keys. Test keys are normally used for development and test purposes since developers do not have access to production keys. For production-level BIOS that would be shipped to consumers, AMI’s procedures for creating such a BIOS require the customer to procure or generate production keys. As such, AMI expects that a key such as the one disclosed to the public today will be used for testing purposes only.
Therefore, even though the test keys were unfortunately leaked via this unsecure FTP site, a production level private key used by a customer cannot be obtained with the information made public. Thus, AMI can state that this leak will not compromise the security of systems in the field if the BIOS for the production machines are created using production keys.
Subramonian Shankar, American Megatrends CEO and President, commented on these concerns by stating that “while today’s news is certainly distressing, AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them. If they follow standard operating procedure for BIOS signing, the security features in our BIOS source code and secure signing process will function as designed and remain 100% secure.”
Concerned parties, such as AMI partners and worldwide BIOS customers, should contact their AMI Sales Representative or AMI Technical Marketing at 1-800-U-BUY-AMI for more information regarding this recent disclosure.
About AMI : Founded in 1985 and known worldwide for AMIBIOS®, American Megatrends Inc. (AMI) supplies state-of-the-art hardware, software, and utilities to top-tier manufacturers of desktop, server, mobile and embedded systems. AMI’s industry leading Aptio® V UEFI BIOS firmware, innovative StorTrends® Network Storage hardware and software products and MegaRAC® remote server management solutions continue to garner industry acclaim and awards around the world. In line with the diversity of its technology and product line, AMI is a member of a number of industry associations and standards groups, such as the Unified EFI Forum (UEFI), the Intel® Intelligent Systems Alliance and the Trusted Computing Group (TCG). Headquartered in Norcross, Georgia, AMI has locations in the U.S., China, Germany, India, Japan, Korea and Taiwan to better serve its customers.
For more information on AMI, its products or services, call 1-800-U-BUY-AMI or visit www.ami.com.
Statement of Liability: © 2014 American Megatrends Inc. Product specifications are subject to change without notice. Products mentioned may be trademarks or registered trademarks of their respective companies. All rights reserved. No warranties are made, either express or implied, with regard to the contents of this work, its merchantability or fitness for a particular use. This publication contains proprietary information, which is protected by copyright. American Megatrends reserves the right to update, change and/or modify this product at anytime.
Back to Top