Slashdot Mirror

← Back to Stories (view on slashdot.org)

AMI Firmware Source Code, Private Key Leaked

Posted by Soulskill on from the never-trust-others-to-respect-your-property-as-much-as-you-do dept.

Trailrunner7 writes "Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. Researcher Brandan Wilson found the company's data hosted on an unnamed vendor's FTP server. Among the vendor's internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture. AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers. 'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'"

1 of 148 comments (clear)

  1. It is designed to be "secure" pain in ass. by boorack · · Score: 0, Offtopic

    This shows what a frickin fiasco is this UEFI Secure Boot crap. It was designed by Microsoft as a DRM-like lock-in tool for their Windows OS and it shows DRM-related problems again and again. TPM chips are around for years and are capable of solving all problems Microsoft promises to "fix" with this UEFI-secure-DRM-windows-only-Boot crap. In my opinion it qualifies as abuse of monopolistic power and should be prosecuted as such. I'd expect a lot of PC vendor arm twisting evidence to show up if such prosecution would ever take place. And BTW, please don't reply to me with "any OS vendor can request a key from Microsoft" or "any vendor can request hardware vendors to install its key" crapola. These are just lies spewed around by Microsoft stooges and paid trolls. They already abused dominant position in key distribution (just before last Christmas season) and they'll do it again and again anytime it fits them. The only sensible solution would be to force Microsoft and hardware vendors to abandon this flawed standard using antitrust measures or other means.