LOS ANGELES--Binarly, provider of the industry leading AI-powered firmware and software supply chain security platform, will present significant new insights into the critical PKfail vulnerability at this week’s LABScon 2024 conference. The research will be presented by Binarly founder and CEO Alex Matrosov, alongside vulnerability researcher, Fabio Pagani.
PKfail, originally disclosed on July 24, 2024, highlights a fundamental flaw in the UEFI Secure Boot process, specifically the integrity of the Platform Key (PK), which serves as the root of trust. This vulnerability poses a substantial risk to firmware security across various industries, affecting devices ranging from laptops to medical equipment, ATMs, and voting machines.
Since the initial disclosure, the PKfail vulnerability has been tagged with the CVE-2024-8105 identifier and has led to widespread vendor engagement and industry response. Major technology providers including Dell, Intel, Phoenix Technologies, and Supermicro have issued advisories addressing the issue, underscoring its significant impact on the firmware ecosystem.
At LABScon, Binarly will present additional data gathered from its free pk.fail detection service. This service, launched alongside the public disclosure, allows enterprise security teams to scan firmware for exposure to PKfail. In just over two months, the service has processed over 10,000 firmware submissions, with nearly 8% found to contain untrusted Platform Keys, further corroborating the research team’s initial findings.
"PKfail represents a critical breakdown in the firmware supply chain that impacts the entire industry," said Matrosov. "We’ve seen both large enterprise vendors and smaller device manufacturers affected, showing the urgent need for supply chain transparency and secure-by-design principles in firmware development."
Binarly's ongoing research indicates that non-production cryptographic materials remain prevalent in firmware images, highlighting the necessity for enhanced security practices among vendors. The investigation has also revealed the use of outdated cryptographic keys in currently marketed devices, further amplifying concerns about the vulnerability's scope.
This year’s presentation builds on Binarly’s commitment to exposing systemic weaknesses in firmware security, following a series of disclosures over the past year related to supply chain risks and below-the-OS vulnerabilities.
Binarly’s technical session at LABScon 2024 will further demonstrate the implications of PKfail across multiple sectors and the critical need for industry collaboration to mitigate these risks. The company will also discuss the role of automated tooling and the pk.fail API in identifying vulnerabilities and strengthening firmware integrity across the ecosystem.
PKfail protections are currently available in the new Binarly Transparency Platform 2.5, which empowers organizations with the tools to proactively mitigate firmware and software security issues. The platform enables enterprise defenders to avoid alert fatigue while identifying and addressing critical vulnerabilities before they can be exploited by malicious actors. Learn more at www.binarly.io
About Binarly
Binarly is a global firmware and software supply chain security company founded in 2021. The company’s flagship Binarly Transparency Platform is an enterprise-class, AI-powered solution used by device manufacturers, OEMs, IBVs and product security teams to identify known and unknown vulnerabilities, misconfigurations and signs of malicious code implantation. Binarly’s validated remediation playbooks have significantly reduced the cost and time to respond to security exposures. Based in Los Angeles, California, Binarly brings decades of research and program analysis expertise to build solutions to protect businesses, critical infrastructure, and consumers around the world.