A security professional’s nightmare happened to AMI this week. Tons of confidential data, including the source code for the UEFI BIOS for Intel Ivy Bridge-based systems and an AMI-owned private key for digital signatures, turned up on a wide-open FTP server for all comers to download anonymously.
The implications are nearly limitless. To a malware author, this is like finding a hollowed-out book at a garage sale stuffed with $100 bills with a 25-cent price sticker on the front. If you’re a budding security professional, count on being asked in job interviews why you need to protect confidential information. The next time you get that question, here’s a story you can cite.
Here are the four things I expect to see as a result of this.
Malware. Advanced malware such as Stuxnet, Duqu and Flame used stolen signatures to make themselves look valid. This AMI leak adds one more to the pile of potentially abused signatures. We have to assume someone has stolen and used it.
Deep-seated malware. Due to the low level of the software involved, it’s now possible for someone to write a malicious BIOS and potentially other firmware code. Intel Ivy Bridge-based systems are especially vulnerable, but an attacker with enough determination could use this to build rogue firmware for other devices.
Market concerns. We have to assume now that Intel Ivy Bridge-based systems are more vulnerable than other systems. If I were making purchasing decisions today, I would immediately cancel any orders for Intel Ivy Bridge-based systems and switch them to AMD. Security-conscious customers suddenly have to justify deploying Intel equipment, which was a laughable idea a week ago. This could hurt Intel.
AMI’s viability. This is an even bigger problem for AMI. If knockoff AMI BIOSes appear in countries with lax intellectual property laws in coming months and years, we’ll know why. Legally, AMI’s competitors can’t look at the code, but breaking the law in this case is a calculated risk, and you can’t discount the possibility of a company deciding it’s worth taking a chance. To me, this is the least likely of the possible outcomes, because I want to believe companies don’t go looking for other companies’ trade secrets on unsecured web sites, and on the other hand, I know malware authors look for precisely this kind of thing.